deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-07 01:57:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into other-prods-8743531

Browse Source
This commit is contained in:
Meghan Stewart 2024-02-27 11:57:09 -08:00
commit 712e431e42
639 changed files with 4049 additions and 36504 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1115
.openpublishing.redirection.browsers.json
View File

File diff suppressed because it is too large Load Diff

1945
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

385
.openpublishing.redirection.windows-configuration.json
View File

@ -30,16 +30,6 @@
"redirect_url": "/windows/configuration/configure-windows-diagnostic-data-in-your-organization",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-powerbi.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/diagnostic-data-viewer-overview.md",
"redirect_url": "/windows/privacy/diagnostic-data-viewer-overview",
@ -280,111 +270,6 @@
"redirect_url": "/windows/configuration/windows-diagnostic-data",
"redirect_document_id": false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-feedback.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-o365.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-overview.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-1.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-1",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-2.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-2",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-3.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-3",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-4.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-4",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-5.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-5",
"redirect_document_id":false
},
{
"source_path":"windows/configuration/cortana-at-work/test-scenario-6.md",
"redirect_url":"/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-6",
"redirect_document_id":false
},
{
"source_path": "windows/configuration/windows-diagnostic-data.md",
"redirect_url": "/windows/privacy/windows-diagnostic-data",
@ -574,6 +459,276 @@
"source_path": "windows/configuration/windows-spotlight.md",
"redirect_url": "/windows/configuration/lock-screen/windows-spotlight",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-crm.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-crm.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-powerbi.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-powerbi.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-powerbi.md",
"redirect_url": "/windows/resources",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-feedback.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-feedback.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-feedback.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-feedback",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-o365.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-o365.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-o365.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-o365",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-overview.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-overview.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-overview.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
"redirect_document_id": false
},
{
"source_path": "windows/manage/manage-cortana-in-enterprise.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-overview",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-policy-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-policy-settings",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-1.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-1.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-1.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-1",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-2.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-2.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-2",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-3.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-3.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-3",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-4.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-4.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-4",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-5.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-5.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-6.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-6.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-6",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-scenario-7.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-scenario-7.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-scenario-7",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-testing-scenarios.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-testing-scenarios.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-testing-scenarios.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-testing-scenarios",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
"redirect_document_id": false
},
{
"source_path": "windows/configure/cortana-at-work-voice-commands.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
"redirect_document_id": false
},
{
"source_path": "windows/manage/cortana-at-work-voice-commands.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/cortana-at-work-voice-commands",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/test-scenario-1.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-1",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/test-scenario-2.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-2",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/test-scenario-3.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-3",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/test-scenario-4.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-4",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/test-scenario-5.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-5",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/test-scenario-6.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/test-scenario-6",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-10/configuration/cortana-at-work/testing-scenarios-using-cortana-in-business-org",
"redirect_document_id": false
}
]
}

17
education/docfx.json
View File

@ -42,7 +42,7 @@
"breadcrumb_path": "/education/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "Win.education",
@ -65,15 +65,16 @@
"v-stsavell",
"beccarobins",
"Stacyrch140",
"American-Dipper"
"American-Dipper",
"shdyas"
]
},
"fileMetadata": {
"appliesto":{
"appliesto": {
"windows/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11 SE</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11 SE</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
]
}
},
@ -81,5 +82,5 @@
"template": "op.html",
"dest": "education",
"markdownEngineName": "markdig"
}
}
}
}

19
store-for-business/docfx.json
View File

@ -54,27 +54,28 @@
"folder_relative_path_in_docset": "./"
}
},
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
"rmca14",
"claydetels19",
"Kellylorenebaker",
"jborsecnik",
"tiburd",
"AngelaMotherofDragons",
"dstrome",
"v-dihans",
"v-dihans",
"garycentric",
"v-stsavell",
"beccarobins",
"Stacyrch140",
"American-Dipper"
"American-Dipper",
"shdyas"
]
},
"fileMetadata": {},
"template": [],
"dest": "store-for-business",
"markdownEngineName": "markdig"
}
}
}
}

3
windows/application-management/app-v/appv-evaluating-appv.md
View File

@ -4,11 +4,12 @@ description: Learn how to evaluate App-V for Windows 10/11 in a lab environment
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Evaluating App-V

13
windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md
View File

@ -4,11 +4,12 @@ description: How to Install the App-V Databases and Convert the Associated Secur
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
@ -79,14 +80,14 @@ Before attempting this procedure, you should read and understand the information
               "  Pass the account(s) as space separated command line parameters. (For example 'ConvertToSID.exe DOMAIN\\Account1 DOMAIN\\Account2 ...'){0}" +
               "  The output is written to the console in the format 'Account name    SID as string   SID as hexadecimal'{0}" +
               "  And can be written out to a file using standard Windows PowerShell redirection{0}" +
               "  Please specify user accounts in the format 'DOMAIN\username'{0}" +
               "  Please specify user accounts in the format 'DOMAIN\username'{0}" +
               "  Please specify machine accounts in the format 'DOMAIN\machinename$'{0}" +
               "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" +
               "  For more help content, please run 'Get-Help ConvertToSID.ps1'{0}" +
               "{0}====== Arguments ======{0}" +
               "{0}  /?    Show this help message", [Environment]::NewLine)
               "{0}  /?    Show this help message", [Environment]::NewLine)
{
else
{ 
{ 
    #If an array was passed in, try to split it
    if($myArgs.Length -eq 1)
    {
@ -95,7 +96,7 @@ Before attempting this procedure, you should read and understand the information
    #Parse the arguments for account names
    foreach($accountName in $myArgs)
    {   
    {   
        [string[]] $splitString = $accountName.Split('\')  # We're looking for the format "DOMAIN\Account" so anything that does not match, we reject
        if($splitString.Length -ne 2)
        {

3
windows/application-management/app-v/appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md
View File

@ -4,11 +4,12 @@ description: How to Manage Connection Groups on a Stand-alone Computer by Using
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell

9
windows/application-management/app-v/appv-managing-connection-groups.md
View File

@ -4,11 +4,12 @@ description: Connection groups can allow administrators to manage packages indep
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Managing Connection Groups
@ -40,9 +41,9 @@ In some previous versions of App-V, connection groups were referred to as Dynami
- [Operations for App-V](appv-operations.md)

9
windows/application-management/app-v/appv-migrating-to-appv-from-a-previous-version.md
View File

@ -4,18 +4,19 @@ description: Learn how to migrate to Microsoft Application Virtualization (App-V
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Migrating to App-V from previous versions
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first.
To migrate from App-V 4.x to App-V for Windows 10/11, you must upgrade to App-V 5.x first.
## <a href="" id="bkmk-pkgconvimprove"></a>Improvements to the App-V Package Converter
@ -51,7 +52,7 @@ To understand the new process, review the following example `ConvertFrom-AppvLeg
**And you run this command:**
``` syntax
ConvertFrom-AppvLegacyPackage SourcePath \\OldPkgStore\ContosoApp\
ConvertFrom-AppvLegacyPackage SourcePath \\OldPkgStore\ContosoApp\
-DestinationPath \\NewPkgStore\ContosoApp\
-OSDsToIncludeInPackage X.osd,Y.osd
```
@ -88,7 +89,7 @@ Use the package converter utility to upgrade virtual application packages create
**Important**  
After you convert an existing package you should test the package prior to deploying the package to ensure the conversion process was successful.
**What to know before you convert existing packages**

3
windows/application-management/app-v/appv-modify-an-existing-virtual-application-package.md
View File

@ -4,11 +4,12 @@ description: Learn how to modify an existing virtual application package and add
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to Modify an Existing Virtual Application Package

7
windows/application-management/app-v/appv-modify-client-configuration-with-powershell.md
View File

@ -4,11 +4,12 @@ description: Learn how to modify the Application Virtualization (App-V) client c
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to Modify Client Configuration by Using Windows PowerShell
@ -28,8 +29,8 @@ Use the following procedure to configure the App-V client configuration.
`Set-AppVClientConfiguration Name1 MyConfig Name2 "xyz"`
<br>For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
## Related articles

3
windows/application-management/app-v/appv-move-the-appv-server-to-another-computer.md
View File

@ -4,11 +4,12 @@ description: Learn how to create a new management server console in your environ
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to move the App-V server to another computer

51
windows/application-management/app-v/appv-performance-guidance.md
View File

@ -4,11 +4,12 @@ description: Learn how to configure App-V for optimal performance, optimize virt
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Performance Guidance for Application Virtualization
@ -16,7 +17,7 @@ ms.subservice: itpro-apps
**Applies to**:
- Windows 7 SP1
- Windows 10
- Windows 10
- Windows 11
- Server 2012 R2
- Server 2016
@ -103,7 +104,7 @@ The following information displays the required steps to prepare the base image
#### Prepare the Base Image
- **Performance**:
- **Performance**:
- Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
- Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
@ -120,7 +121,7 @@ The following information displays the required steps to prepare the base image
- `AppData\Local\Microsoft\AppV\Client\VFS`
- `AppData\Roaming\Microsoft\AppV\Client\VFS`
- **Storage**:
- **Storage**:
- Enable the App-V client as described in [Enable the App-V in-box client](appv-enable-the-app-v-desktop-client.md).
- Enable UE-V and download the App-V Settings Template from the UE-V template Gallery, see the following steps.
@ -144,7 +145,7 @@ For critical App-V Client configurations and for a little more context and how-t
- **PreserveUserIntegrationsOnLogin**: If you have not pre-configured (**Add-AppvClientPackage**) a specific package and this setting isn't configured, the App-V Client will de-integrate* the persisted user integrations, then reintegrate*.
For every package that meets the above conditions, effectively twice the work will be done during publishing/refresh.
If you don't plan to pre-configure every available user package in the base image, use this setting.
- Configure in the Registry under `HKEY_LOCAL_MACHINE\Software\Microsoft\AppV\Client\Integration`.
@ -181,7 +182,7 @@ UE-V will only support removing the .lnk file type from the exclusion list in th
- If a user has an application installed on one device but not another with .lnk files enabled.
> [!Important]
> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
> This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.
Using the Microsoft Registry Editor (regedit.exe), navigate to `HKEY\_LOCAL\_MACHINE\Software\Microsoft\UEV\Agent\Configuration\ExcludedFileTypes` and remove `.lnk` from the excluded file types.
@ -200,10 +201,10 @@ To enable an optimized sign-in experience, for example the App-V approach for th
- Attaching and detaching a user profile disk (UPD) or similar technology that contains the user integrations.
> [!Note]
>
>
> App-V is supported when using UPD only when the entire profile is stored on the user profile disk.
>
> App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders.
>
> App-V packages are not supported when using UPD with selected folders stored in the user profile disk. The Copy on Write driver doesn't handle UPD selected folders.
- Capturing changes to the locations, which constitute the user integrations, prior to session sign out.
@ -246,50 +247,50 @@ Registry HKEY\_CURRENT\_USER
This following process is a step-by-step walk-through of the App-V and UPM operations, and the users' expectations.
- **Performance**: After implementing this approach in the VDI/RDSH environment, on first login,
- (Operation) A user-publishing/refresh is initiated.
- (Operation) A user-publishing/refresh is initiated.
(Expectation) If it's the first time that a user has published virtual applications (for example, non-persistent), this operation will take the usual duration of a publishing/refresh.
- (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
(Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-out process. This result will incur the same/similar overhead as persisting the user state.
**On subsequent logins**:
- (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
(Expectation) There will be shortcuts present on the desktop, or in the start menu, which work immediately. When the publishing/refresh completes (that is, package entitlements change), some may go away.
- (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements.
- (Operation) Publishing/refresh will process unpublish and publish operations for changes in user package entitlements.
(Expectation) If there are no entitlement changes, publishing will complete in seconds. Otherwise, the publishing/refresh will increase relative to the number and complexity of virtual applications
The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
The publishing operation (**Publish-AppVClientPackage**) adds entries to the user catalog, maps entitlement to the user, identifies the local store, and finishes by completing any integration steps.
- (Operation) UPM solution will capture user integrations again at sign off.
(Expectation) Same as previous.
**Outcome**:
**Outcome**:
- Because the user integrations are entirely preserved, there will be no work for example, integration for the publishing/refresh to complete. All virtual applications will be available within seconds of sign in.
- The publishing/refresh will process changes to the users-entitled virtual applications, which impacts the experience.
- **Storage**: After implementing this approach in the VDI/RDSH environment, on first login
- (Operation) A user-publishing/refresh is initiated.
- (Operation) A user-publishing/refresh is initiated.
(Expectation):
- If this instance is the first time a user has published virtual applications (for example, non-persistent), this will take the usual duration of a publishing/refresh.
- First and subsequent logins will be impacted by pre-configuring of packages (add/refresh).
- (Operation) After the publishing/refresh, the UPM solution captures the user integrations.
(Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state.
(Expectation) Depending on how the UPM solution is configured, this capture may occur as part of the sign-off process. This result will incur the same/similar overhead as persisting the user state.
**On subsequent logins**:
- (Operation) UPM solution applies the user integrations to the system prior to publishing/refresh.
- (Operation) Add/refresh must pre-configure all user targeted applications.
@ -300,7 +301,7 @@ This following process is a step-by-step walk-through of the App-V and UPM opera
- (Operation) Publishing/refresh will process unpublish and publish operations for changes to user package entitlements.
**Outcome**: Because the add/refresh must reconfigure all the virtual applications to the VM, the publishing refresh time on every login will be extended.
### <a href="" id="bkmk-plc"></a>Impact to Package Life Cycle
Upgrading a package is a crucial aspect of the package lifecycle. To help guarantee users have access to the appropriate upgraded (published) or downgraded (unpublished) virtual application packages, it's recommended you update the base image to reflect these changes. To understand why review the following section:
@ -380,7 +381,7 @@ Removing FB1 doesn't require the original application installer. After completin
"C:\\UpgradedPackages"
> [!Note]
> This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
> This cmdlet requires an executable (.exe) or batch file (.bat). You must provide an empty (does nothing) executable or batch file.
|Step|Considerations|Benefits|Tradeoffs|
|--- |--- |--- |--- |
@ -398,7 +399,7 @@ When publishing a virtual application package, the App-V Client will detect if a
|Step|Considerations|Benefits|Tradeoffs|
|--- |--- |--- |--- |
|Selectively Employ Dynamic Configuration files|The App-V client must parse and process these Dynamic Configuration files. <br> <br>Be conscious of size and complexity (script execution, VREG inclusions/exclusions) of the file.<br> <br>Numerous virtual application packages may already have User- or computerspecific dynamic configurations files.|Publishing times will improve if these files are used selectively or not at all.|Virtual application packages would need to be reconfigured individually or via the App-V server management console to remove associated Dynamic Configuration files.|
### Disabling a Dynamic Configuration by using Windows PowerShell

3
windows/application-management/app-v/appv-register-and-unregister-a-publishing-server-with-the-management-console.md
View File

@ -4,11 +4,12 @@ description: How to Register and Unregister a Publishing Server by Using the Man
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to Register and Unregister a Publishing Server by Using the Management Console

3
windows/application-management/app-v/appv-release-notes-for-appv-for-windows-1703.md
View File

@ -4,11 +4,12 @@ description: A list of known issues and workarounds for App-V running on Windows
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Release Notes for App-V for Windows 10 version 1703 and later

15
windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md
View File

@ -4,11 +4,12 @@ description: A list of known issues and workarounds for App-V running on Windows
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Release Notes for App-V for Windows 10, version 1607
@ -17,7 +18,7 @@ ms.subservice: itpro-apps
- Windows 10, version 1607
The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607.
## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client
There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the prerequisite check fails and causes the MSI to fail.
@ -28,20 +29,20 @@ There are MSI packages generated by an App-V sequencer from previous versions of
2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows:
- For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/windows/downloads).
- For the standalone Windows 10 SDK without other tools, see [Standalone Windows SDK](https://developer.microsoft.com/windows/downloads/windows-sdk).
3. Copy msidb.exe from the default path of the Windows SDK installation (**C:\Program Files (x86)\Windows Kits\10**) to a different directory. For example: **C:\MyMsiTools\bin**
4. From an elevated Windows PowerShell prompt, navigate to the following folder:
&lt;Windows Kits 10 installation folder&gt;**\Microsoft Application Virtualization\Sequencer\\**
By default, this path is:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer**
&lt;Windows Kits 10 installation folder&gt;**\Microsoft Application Virtualization\Sequencer\\**
By default, this path is:<br>**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer**
5. Run the following command:
`Update-AppvPackageMsi -MsiPackage "<path to App-V Package .msi file>" -MsSdkPath "<path>"`
`Update-AppvPackageMsi -MsiPackage "<path to App-V Package .msi file>" -MsSdkPath "<path>"`
where the path is to the new directory (**C:\MyMsiTools\ for this example**).

11
windows/application-management/app-v/appv-running-locally-installed-applications-inside-a-virtual-environment.md
View File

@ -4,11 +4,12 @@ description: Running a Locally Installed Application Inside a Virtual Environmen
author: aczechowski
ms.service: windows-client
ms.date: 03/08/2018
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications
@ -81,10 +82,10 @@ Starting with App-V 5.0 SP3, when using RunVirtual, you can publish packages glo
The application in the previous example would produce a registry export file (.reg file) like the following example:
```registry
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe]
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AppV\Client\RunVirtual\MyApp.exe]
@="aaaaaaaa-bbbb-cccc-dddd-eeeeeeee_11111111-2222-3333-4444-555555555
```

9
windows/application-management/app-v/appv-sequence-a-package-with-powershell.md
View File

@ -4,11 +4,12 @@ description: Learn how to sequence a new Microsoft Application Virtualization (A
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to Sequence a Package by using Windows PowerShell
@ -20,7 +21,7 @@ Use the following procedure to create a new App-V package using Windows PowerShe
> [!NOTE]
> Before you use this procedure you must copy the associated installer files to the computer running the sequencer and you have read and understand the sequencer section of [Planning for the App-V Sequencer and Client Deployment](appv-planning-for-sequencer-and-client-deployment.md).
**To create a new virtual application by using Windows PowerShell**
1. Install the App-V sequencer. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
@ -60,10 +61,10 @@ The following list displays additional optional parameters that can be used with
- FullLoad - specifies that the package must be fully downloaded to the computer running the App-V before it can be opened.
Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file.
Starting with Windows 10 version 1703, the `new-appvsequencerpackage` or the `update-appvsequencepackage` cmdlets automatically capture and store all of your customizations as an App-V project template. If you want to make changes to this package later, your customizations are automatically loaded from this template file.
> [!IMPORTANT]
> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
> If you have an auto-saved template and you attempt to load another template through the _TemplateFilePath_ parameter, the customization value from the parameter will override the auto-saved template.
## Related articles

3
windows/application-management/app-v/appv-technical-reference.md
View File

@ -4,11 +4,12 @@ description: Learn strategy and context for many performance optimization practi
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Technical Reference for App-V

3
windows/application-management/app-v/appv-transfer-access-and-configurations-to-another-version-of-a-package-with-the-management-console.md
View File

@ -4,11 +4,12 @@ description: How to Transfer Access and Configurations to Another Version of a P
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to Transfer Access and Configurations to Another Version of a Package by Using the Management Console

3
windows/application-management/app-v/appv-troubleshooting.md
View File

@ -4,11 +4,12 @@ description: Learn how to find information about troubleshooting Application Vir
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Troubleshooting App-V

29
windows/application-management/app-v/appv-upgrading-to-app-v-for-windows-10-from-an-existing-installation.md
View File

@ -4,18 +4,19 @@ description: Learn about upgrading to Application Virtualization (App-V) for Win
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Upgrading to App-V for Windows client from an existing installation
[!INCLUDE [Applies to Windows client versions](../includes/applies-to-windows-client-versions.md)]
If youre already using App-V and youre planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client.
If youre already using App-V and youre planning to upgrade user devices to Windows 10/11, you need to make only the following few adjustments to your existing environment to start using App-V for Windows client.
1. [Upgrade user devices to Windows 10/11](#upgrade-user-devices-to-windows-1011). Performing an in-place upgrade automatically installs the App-V client and migrates users App-V applications and settings.
@ -31,11 +32,11 @@ These steps are explained in more detail below.
## Upgrade user devices to Windows 10/11
Performing an in-place upgrade automatically installs the App-V client and migrates users App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices.
Performing an in-place upgrade automatically installs the App-V client and migrates users App-V applications and settings. See the [Windows document set](/windows/windows-10/) for information about upgrading user devices.
## Verify that App-V applications and settings were migrated correctly
After upgrading a user device, its important to verify that App-V applications and settings were migrated correctly during the upgrade.
After upgrading a user device, its important to verify that App-V applications and settings were migrated correctly during the upgrade.
To verify that the users App-V application packages were migrated correctly, type `Get-AppvClientPackage` in Windows PowerShell.
@ -43,13 +44,13 @@ To verify that the users App-V settings were migrated correctly, type `Get-Ap
## Enable the in-box App-V client
With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell.
With Windows 10/11, the App-V client is installed automatically. You need to enable the client to allow user devices to access and run virtual applications. You can enable the client with the Group Policy editor or with Windows PowerShell.
**To enable the App-V client with Group Policy**
1. Open the devices **Group Policy Editor**.
2. Navigate to **Computer Configuration > Administrative Templates > System > App-V**.
2. Navigate to **Computer Configuration > Administrative Templates > System > App-V**.
3. Run **Enables App-V Client** and then select **Enabled** on the screen that appears.
@ -71,27 +72,27 @@ Once youve enabled the in-box App-V client, you need to configure it to point
**To modify client settings to point to an existing App-V publishing server with Windows PowerShell**
Type the following cmdlet in a Windows PowerShell window:
Type the following cmdlet in a Windows PowerShell window:
`Add-AppvPublishingServer -Name AppVServer -URL https:// appvserver:2222`
`Add-AppvPublishingServer -Name AppVServer -URL https:// appvserver:2222`
**To modify client settings to point to an existing App-V publishing server with Group Policy**
**To modify client settings to point to an existing App-V publishing server with Group Policy**
1. Open the devices **Local Group Policy Editor**.
2. Navigate to **Computer Configuration > Administrative Templates > System > App-V > Publishing**.
2. Navigate to **Computer Configuration > Administrative Templates > System > App-V > Publishing**.
3. Enter your existing App-V publishing servers details in **Options** and then click or press **Apply**.
## Verify that the in-box App-V client can receive and launch .appv packages
1. Add and publish a package using the following Windows PowerShell cmdlets:
1. Add and publish a package using the following Windows PowerShell cmdlets:
`Add-AppvClientPackage \\path\to\appv\package.appv | Publish-AppvClientPackage`
`Add-AppvClientPackage \\path\to\appv\package.appv | Publish-AppvClientPackage`
2. Launch the published package.
2. Launch the published package.
3. Unpublish an existing package use the following cmdlet:
3. Unpublish an existing package use the following cmdlet:
`Unpublish-AppvClientPackage "ContosoApplication"`

5
windows/application-management/app-v/appv-using-the-client-management-console.md
View File

@ -4,11 +4,12 @@ description: Learn how to use the Application Virtualization (App-V) client mana
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Using the App-V Client Management Console
@ -25,7 +26,7 @@ The App-V client has associated settings that can be configured to determine how
- [How to Modify Client Configuration by Using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)
- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
- [How to Configure the Client to Receive Package and Connection Groups Updates From the Publishing Server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
## <a href="" id="the-app-v-5-1-client-management-console-"></a>The App-V client management console

3
windows/application-management/app-v/appv-view-and-configure-applications-and-default-virtual-application-extensions-with-the-management-console.md
View File

@ -4,11 +4,12 @@ description: How to View and Configure Applications and Default Virtual Applicat
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# How to View and Configure Applications and Default Virtual Application Extensions by Using the Management Console

3
windows/application-management/app-v/appv-viewing-appv-server-publishing-metadata.md
View File

@ -4,11 +4,12 @@ description: Use this procedure to view App-V Server publishing metadata, which
author: aczechowski
ms.service: windows-client
ms.date: 04/19/2017
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: aaroncz
ms.collection: must-keep
ms.subservice: itpro-apps
ms.topic: article
---
# Viewing App-V Server Publishing Metadata

11
windows/application-management/docfx.json
View File

@ -43,7 +43,7 @@
"ms.service": "windows-client",
"ms.subservice": "itpro-apps",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-app-management",
@ -62,9 +62,12 @@
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
"American-Dipper",
"shdyas"
],
"searchScope": ["Windows 10"]
"searchScope": [
"Windows 10"
]
},
"fileMetadata": {
"feedback_system": {
@ -75,4 +78,4 @@
"dest": "win-app-management",
"markdownEngineName": "markdig"
}
}
}

5
windows/client-management/docfx.json
View File

@ -49,7 +49,7 @@
"author": "vinaypamnani-msft",
"manager": "aaroncz",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-client-management",
@ -69,7 +69,8 @@
"american-dipper",
"angelamotherofdragons",
"v-stsavell",
"stacyrch140"
"stacyrch140",
"shdyas"
],
"searchScope": [
"Windows 10"

3
windows/client-management/mdm/dmclient-csp.md
View File

@ -14,6 +14,9 @@ ms.date: 01/18/2024
<!-- DMClient-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
> [!NOTE]
> The DMClient CSP nodes are intended to be configured by the MDM server to manage device configuration and security features. Custom URI settings for this CSP are not supported for IT admin management scenarios due to the complexity of the settings.
<!-- DMClient-Editable-End -->
<!-- DMClient-Tree-Begin -->

55
windows/client-management/mdm/policy-csp-mixedreality.md
View File

@ -1,7 +1,7 @@
---
title: MixedReality Policy CSP
description: Learn more about the MixedReality Area in Policy CSP.
ms.date: 01/31/2024
ms.date: 02/20/2024
---
<!-- Auto-Generated CSP Document -->
@ -272,6 +272,59 @@ This policy controls if the HoloLens displays will be automatically adjusted for
<!-- AutomaticDisplayAdjustment-End -->
<!-- AutoUnlock-Begin -->
## AutoUnlock
<!-- AutoUnlock-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ✅ User | ❌ Pro <br> ❌ Enterprise <br> ❌ Education <br> ❌ Windows SE <br> ❌ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- AutoUnlock-Applicability-End -->
<!-- AutoUnlock-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/MixedReality/AutoUnlock
```
```Device
./Device/Vendor/MSFT/Policy/Config/MixedReality/AutoUnlock
```
<!-- AutoUnlock-OmaUri-End -->
<!-- AutoUnlock-Description-Begin -->
<!-- Description-Source-DDF -->
This policy controls whether a signed-in user will be prompted for credentials when returning to the device after the device has entered suspended state. This policy is available both for the device as well as the user scope. When enabled for the device scope, auto unlock will be enabled for all users on the device. When enabled for the user scope, only the specific user will have auto unlock enabled.
<!-- AutoUnlock-Description-End -->
<!-- AutoUnlock-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AutoUnlock-Editable-End -->
<!-- AutoUnlock-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AutoUnlock-DFProperties-End -->
<!-- AutoUnlock-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | User will be prompted for credentials. |
| 1 | User won't be prompted for credentials. |
<!-- AutoUnlock-AllowedValues-End -->
<!-- AutoUnlock-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AutoUnlock-Examples-End -->
<!-- AutoUnlock-End -->
<!-- BrightnessButtonDisabled-Begin -->
## BrightnessButtonDisabled

20
windows/configuration/docfx.json
View File

@ -47,7 +47,7 @@
"author": "paolomatarazzo",
"manager": "aaroncz",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-configuration",
@ -66,31 +66,34 @@
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
"American-Dipper",
"shdyas"
],
"searchScope": ["Windows 10"]
"searchScope": [
"Windows 10"
]
},
"fileMetadata": {
"feedback_system": {
"ue-v/**/*.*": "None"
},
"author":{
"author": {
"wcd//**/*.md": "aczechowski",
"wcd//**/*.yml": "aczechowski",
"ue-v//**/*.md": "aczechowski",
"ue-v//**/*.yml": "aczechowski"
},
"ms.author":{
"ms.author": {
"wcd//**/*.md": "aaroncz",
"wcd//**/*.yml": "aaroncz",
"ue-v//**/*.md": "aaroncz",
"ue-v//**/*.yml": "aaroncz"
},
"ms.reviewer":{
"ms.reviewer": {
"kiosk//**/*.md": "sybruckm",
"start//**/*.md": "ericpapa"
},
"ms.collection":{
"ms.collection": {
"wcd//**/*.md": "must-keep",
"ue-v//**/*.md": [
"must-keep",
@ -112,5 +115,4 @@
"dest": "win-configuration",
"markdownEngineName": "markdig"
}
}
}

12
windows/deployment/deploy-enterprise-licenses.md
View File

@ -177,7 +177,7 @@ Once Windows Setup finishes, the user is automatically signed in and the device
Open the **Accounts** > **Access work or school** pane in the **Settings** app by selecting the following link:
> [!div class="nextstepaction"]
> [Activation](ms-settings:workplace)
> [Access work or school](ms-settings:workplace)
or
@ -359,6 +359,8 @@ A device is healthy when both the subscription and activation are active. If the
slmgr /dlv
```
For more information on **Slmgr**, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
## Troubleshoot the user experience
In some instances, users might experience problems with activation of the Windows Enterprise E3 or E5 subscription. The most common problems that users might experience are the following issues:
@ -482,10 +484,6 @@ Use the following guides to verify each one of these requirements:
For more information, see [Assigning licenses to users](#assigning-licenses-to-users).
### Delay in the activation of Enterprise license of Windows
There might be a delay in the activation of the Enterprise license in Windows. This delay is by design. Windows uses a built-in cache when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
## Known issues
- If a device isn't able to connect to Windows Update, it can lose activation status or be blocked from upgrading to Windows Enterprise. Make sure that Windows Update isn't blocked on the device:
@ -520,6 +518,10 @@ There might be a delay in the activation of the Enterprise license in Windows. T
>
> Make sure to first check the group policy of **Do not connect to any Windows Update Internet locations**. If the policy is **Enabled**, then this registry key will eventually be reset back to `1` even after it's manually set to `0` via `reg.exe`. Setting the policy of **Do not connect to any Windows Update Internet locations** to **Disabled** or **Not Configured** will make sure the registry value remains as `0`.
- Delay in the activation of Enterprise license of Windows.
There might be a delay in the activation of the Enterprise license in Windows. This delay is by design. Windows uses a built-in cache when determining upgrade eligibility. This behavior includes processing responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires.
## Virtual Desktop Access (VDA)
Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant host.

6
windows/deployment/do/delivery-optimization-proxy.md
View File

@ -10,7 +10,7 @@ manager: aaroncz
ms.reviewer: mstewart
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
@ -21,11 +21,11 @@ ms.date: 06/02/2023
When Delivery Optimization downloads content from HTTP sources, it uses the automatic proxy discovery capability of WinHttp to streamline and maximize the support for complex proxy configurations as it makes range requests from the content server. It does this by setting the **WINHTTP_ACCESS_TYPE_AUTOMATIC_PROXY** flag in all HTTP calls.
Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
Delivery Optimization provides a token to WinHttp that corresponds to the user that is signed in currently. In turn, WinHttp automatically authenticates the user against the proxy server set either in Internet Explorer or in the **Proxy Settings** menu in Windows.
For downloads that use Delivery Optimization to successfully use the proxy, you should set the proxy via Windows **Proxy Settings** or the Internet Explorer proxy settings.
Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the “NetworkService” context if proxy authentication is required.
Setting the Internet Explorer proxy to apply device-wide will ensure that the device can access the proxy server even when no user is signed in. In this case, the proxy is accessed with the "NetworkService" context if proxy authentication is required.
> [!NOTE]
> We don't recommend that you use `netsh winhttp set proxy ProxyServerName:PortNumber`. Using this offers no auto-detection of the proxy, no support for an explicit PAC URL, and no authentication to the proxy. This setting is ignored by WinHTTP for requests that use auto-discovery (if an interactive user token is used).

54
windows/deployment/do/delivery-optimization-test.md
View File

@ -10,9 +10,9 @@ ms.reviewer: mstewart
manager: aaroncz
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 11/08/2022
---
@ -21,42 +21,48 @@ ms.date: 11/08/2022
## Overview
Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to Win10+ and provides default configuration to get the most out of the typical customer environment. It's used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization, 1) HTTP downloader, 2) Peer-to-peer (P2P) cloud technology, and 3) Microsoft Connected Cache. One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments.
Delivery Optimization is a powerful and useful tool to help enterprises manage bandwidth usage for downloading Microsoft content. It's a solution designed to be used in large-scale environments with large numbers of devices, various content sizes, etc. Delivery Optimization is native to currently supported versions of Windows and provides default configuration to get the most out of the typical customer environment. Delivery Optimization is used to deliver many different types of content, so Microsoft customers enjoy the best possible download experience for their environment. There are three components to Delivery Optimization:
1. HTTP downloader.
1. Peer-to-peer (P2P) cloud technology.
1. Microsoft Connected Cache.
One of the most powerful advantages of using Delivery Optimization is the ability to fine-tune settings that empower users to dial in Microsoft content delivery to meet the needs of specific environments.
## Monitoring The Results
Since Delivery Optimization is on by default, you'll be able to monitor the value either through the Windows Settings for Delivery Optimization, using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report.](../update/wufb-reports-workbook.md) experience in Azure.
Since Delivery Optimization is on by default, you're able to monitor the value either through the Windows Settings for 'Delivery Optimization' using Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md), and/or via the [Windows Update for Business Report](../update/wufb-reports-workbook.md) experience in Azure.
In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, Scenario 1: Basic Setup should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests.
In the case where Delivery Optimization isn't working in your environment, it's important to investigate to get to the root of the problem. We recommend a test environment be created to easily evaluate typical devices to ensure Delivery Optimization is working properly. For starters, 'Scenario 1: Basic Setup' should be created to test the use of Delivery Optimization between two machines. This scenario is designed to eliminate any noise in the environment to ensure there's nothing preventing Delivery Optimization from working on the devices. Once you have a baseline, you can expand the test environment for more sophisticated tests.
## Expectations and Goals
The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal will be to show peer to peer is working as expected, using the following criteria:
The focus of the testing scenarios in this article is primarily centered on demonstrating the Delivery Optimization policies centered around the successful downloading of bytes using P2P. More specifically, the goal is to show peer to peer is working as expected, using the following criteria:
* Peers can find each other (for example on the same LAN / subnet / Group matching your 'Download Mode' policy).
* Peers can find each other (for example on the same LAN / subnet / Group - matching your 'Download Mode' policy).
* Files are downloading in the expected 'Download Mode' policy setting (validates connectivity to DO cloud, HTTP, and local configs).
* At least some downloads happening via P2P (validates connectivity between peers).
Several elements that influence overall peering, using Delivery Optimization. The most common, impactful environment factors should be considered.
* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device may not be serving a particular file.
* **The number of files in the cache and** **the** **number of devices have a big effect on overall peering.** There's a set number of files available for peering at a time, from each client, so the peering device might not be serving a particular file.
* **File size** **and** **internet connection** **reliability matter.** There's a Delivery Optimization setting to determine the minimum file size to use P2P. In addition, an internet connection must be open and reliable enough to let the Delivery Optimization client make cloud service API calls and download metadata files before starting a file download.
* **Delivery Optimization Policies can play a role.** In general, it's important to familiarize yourself with the Delivery Optimization settings and defaults [Delivery Optimization reference - Windows Deployment | Microsoft Docs.](waas-delivery-optimization-reference.md).
### Delivery Optimization is a Hybrid P2P Platform
* Delivery Optimizations hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimizations ability to find bandwidth savings as more peers become available.
* Delivery Optimization's hybrid approach to downloading from multiple sources (HTTP and peer) in parallel is especially critical for large-scale environments, constantly assessing the optimal source from which to deliver the content. In conjunction, the distribution of content cache, across participating devices, contributes to Delivery Optimization's ability to find bandwidth savings as more peers become available.
* At the point a download is initiated, the DO client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP.
* At the point a download is initiated, the Delivery Optimization client starts downloading from the HTTP source and discovering peers simultaneously. With a smaller file, most of the bytes could be downloaded from an HTTP source before connecting to a peer, even though peers are available. With a larger file and quality LAN peers, it might reduce the HTTP request rate to near zero, but only after making those initial requests from HTTP.
* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers, which shows Delivery Optimization continuously evaluating the optimal location from which to download the content.
* In the next section, you'll see how the two testing scenarios produce differing results in the number of bytes coming from HTTP vs. peers. These scenarios show Delivery Optimization continuously evaluating the optimal location from which to download the content.
## Test Scenarios
### Scenario 1: Basic Setup
**Goal:**
Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment
Demonstrate how Delivery Optimization peer-to-peer technology works using two machines in a controlled test environment.
**Expected Results:**
Machine 1 will download zero bytes from peers and Machine 2 will download 50-99% from peers.
@ -72,9 +78,9 @@ Machine 1 will download zero bytes from peers and Machine 2 will download 50-99%
|Disk size | 127 GB |
|Network | Connected to same network, one that is representative of the corporate network. |
|Pause Windows Updates | This controls the test environment so no other content is made available during the test, and potentially altering the outcome of the test. If there are problems and no peering happens, use 'Get-DeliveryOptimizationStatus' on the first machine to return a real-time list of the connected peers. |
|Ensure all Store apps are up to date | This will help prevent any new, unexpected updates to download during testing. |
|Ensure all Store apps are up to date | This helps prevent any new, unexpected updates to download during testing. |
|Delivery Optimization 'Download Mode' Policy | 2 (Group)(set on each machine) |
|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, [[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/). |
|Delivery Optimization 'GroupID' Policy | Set the *same* 'GUID' on each test machine. A GUID is a required value, which can be generated using PowerShell, '[[guid]::NewGuid().](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)'. |
|**Required on Windows 11 devices only** set Delivery Optimization 'Restrict Peer Selection' policy | 0-NAT (set on each machine). The default behavior in Windows 11 is set to '2-Local Peer Discovery'. For testing purposes, this needs to be scoped to the NAT. |
#### Test Instructions
@ -126,7 +132,7 @@ Machine 1 will download zero bytes from peers and Machine 2 will find peers and
|Disk size | 127 GB |
|Network | Connected to same network, one that is representative of the corporate network. |
|Delivery Optimization 'Download Mode' Policy| 2 (Group)(set on each machine) |
|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)'. |
|Delivery Optimization 'Group ID' Policy| Set the *same* 'GUID' on each test machine. A GUID is required value, which can be generated using PowerShell, '[guid]::NewGuid().](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)'. |
|Delivery Optimization 'Delay background download from http' Policy | 60 (set on each machine) |
|Delivery Optimization 'Delay foreground download from http Policy |60 (set on each machine) |
@ -134,13 +140,13 @@ Machine 1 will download zero bytes from peers and Machine 2 will find peers and
The following set of instructions will be used for each machine:
1. Clear the DO cache: Delete-DeliveryOptimizationCache.
1. Clear the DO cache: 'Delete-DeliveryOptimizationCache'.
2. Open MS Store and search for 'Asphalt Legends 9'. Select *Get* to initiate the download of the content (content size: ~3.4 GB).
3. Open PowerShell console as Administrator. Run 'Get-DeliveryOptimizationStatus'.
**On machine #1:**
* Run Test Instructions
* Run 'Test Instructions'
**Output: Windows 10 (21H2)**
@ -149,14 +155,14 @@ The following set of instructions will be used for each machine:
**Observations**
* The first download in the group of devices shows all bytes coming from HTTP, 'BytesFromHttp'.
* Download is in the Foreground because the Store app is doing the download and in the foreground on the device because it is initiated by the user in the Store app.
* Download is in the 'Foreground' because the Store app is doing the download and in the foreground on the device because it's initiated by the user in the Store app.
* No peers are found.
*Wait 5 minutes*.
**On machine #2:**
* Run Test Instructions
* Run 'Test Instructions'
**Output** Windows 10 (21H2)
@ -171,7 +177,7 @@ The following set of instructions will be used for each machine:
**On machine #3:**
* Run Test Instructions
* Run 'Test Instructions'
**Output:** Windows 10 (21H2)
@ -185,8 +191,8 @@ The following set of instructions will be used for each machine:
## Peer sourcing observations for all machines in the test group
The distributed nature of the Delivery Optimization technology is obvious when you rerun the Get-DeliveryOptimizationStatus cmdlet on each of the test machines. For each, there's a new value populated for the BytesToLanPeers field. This demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other.
The distributed nature of the Delivery Optimization technology is obvious when you rerun the 'Get-DeliveryOptimizationStatus' cmdlet on each of the test machines. For each, there's a new value populated for the 'BytesToLanPeers' field. This test demonstrates that as more peers become available, the requests to download bytes are distributed across the peering group and act as the source for the peering content. Each peer plays a role in servicing the other.
**Output:** Machine 1
'BytesToPeers' sourced from Machine 1 are '5704426044'. This represents the total number of bytes downloaded by the two peers in the group.
@ -207,8 +213,8 @@ The distributed nature of the Delivery Optimization technology is obvious when y
## Conclusion
Using Delivery Optimization can help make a big impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device.
Using Delivery Optimization can help make a significant impact in customer environments to optimize bandwidth. The peer-to-peer technology offers many configurations designed to be flexible for any organization. Delivery Optimization uses a distributed cache across different sources to ensure the most optimal download experience, while limiting the resources used on each device.
The testing scenarios found in this document help to show a controlled test environment, helping to prevent updates from interrupting the peering results. The other, a more real-world case, demonstrates how content available across peers will be used as the source of the content.
If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets.](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment.
If there are issues found while testing, the Delivery Optimization PowerShell [cmdlets](waas-delivery-optimization-setup.md) can be a helpful tool to help explain what is happening in the environment.

133
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -15,19 +15,66 @@ metadata:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2019, and later</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 07/31/2023
title: Delivery Optimization Frequently Asked Questions
ms.date: 02/16/2024
title: Frequently Asked Questions about Delivery Optimization
summary: |
Frequently Asked Questions for Delivery Optimization
This article answers frequently asked questions about Delivery Optimization.
sections:
- name: Ignored
**General questions**:
- [What Delivery Optimization settings are available?](#what-delivery-optimization-settings-are-available)
- [Does Delivery Optimization work with WSUS?](#does-delivery-optimization-work-with-wsus)
- [How are downloads initiated by Delivery Optimization?](#how-are-downloads-initiated-by-delivery-optimization)
- [Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?](#delivery-optimization-is-downloading-windows-content-on-my-devices-directly-from-an-ip-address--is-it-expected)
- [How do I turn off Delivery Optimization?](#how-do-i-turn-off-delivery-optimization)
**Network related configuration questions**:
- [Which ports does Delivery Optimization use?](#which-ports-does-delivery-optimization-use)
- [What are the requirements if I use a proxy?](#what-are-the-requirements-if-i-use-a-proxy)
- [What hostnames should I allow through my firewall to support Delivery Optimization?](#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization)
- [My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?How do I configure it to download content with Delivery Optimization?](#my-firewall-requires-ip-addresses-and-can-t-process-fqdns--how-do-i-configure-it-to-download-content-with-delivery-optimization)
- [What is the recommended configuration for Delivery Optimization used with cloud proxies?](#what-is-the-recommended-configuration-for-delivery-optimization-used-with-cloud-proxies)
**Peer-to-Peer related questions**:
- [How does Delivery Optimization determine which content is available for peering?](#how-does-delivery-optimization-determine-which-content-is-available-for-peering)
- [Does Delivery Optimization use multicast?](#does-delivery-optimization-use-multicast)
- [How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?](#how-does-delivery-optimization-deal-with-congestion-on-the-router-from-peer-to-peer-activity-on-the-lan)
- [How does Delivery Optimization handle VPNs?](#how-does-delivery-optimization-handle-vpns)
- [How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?](#how-does-delivery-optimization-handle-networks-where-a-public-ip-address-is-used-in-place-of-a-private-ip-address)
**Device resources questions**:
- [Delivery Optimization is using device resources and I can't tell why?](#delivery-optimization-is-using-device-resources-and-i-can-t-tell-why)
sections:
- name: General questions
questions:
- question: What Delivery Optimization settings are available?
answer: |
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with controls on bandwidth, time of day, etc.
- question: Does Delivery Optimization work with WSUS?
answer: Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
answer: |
Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination.
- question: How are downloads initiated by Delivery Optimization?
answer: |
Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
- question: Delivery Optimization is downloading Windows content on my devices directly from an IP address, is it expected?
answer: |
When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your internet service provider, the download will be pulled directly from the IP address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available.
- question: How do I turn off Delivery Optimization?
answer: |
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
> [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
- name: Network related configuration questions
questions:
- question: Which ports does Delivery Optimization use?
answer: |
Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data).
@ -35,10 +82,9 @@ sections:
Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up.
Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80.
- question: What are the requirements if I use a proxy?
answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
answer: |
For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
- question: What hostnames should I allow through my firewall to support Delivery Optimization?
answer: |
**For communication between clients and the Delivery Optimization cloud service**:
@ -58,29 +104,37 @@ sections:
- `win1910.ipv6.microsoft.com`
For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
- question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
answer: |
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: Delivery Optimization is downloading Windows content on my devices directly from an IP Address, is it expected?
answer: |
When Delivery Optimization downloads from a [Microsoft Connected Cache](waas-microsoft-connected-cache.md) server that is hosted by your Internet Service Provider, the download will be pulled directly from the IP Address of that server. If the Microsoft Connected cache isn't available, the download will fall back seamlessly to the CDN instead. Delivery Optimization Peers are used in parallel if available.
The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: What is the recommended configuration for Delivery Optimization used with cloud proxies?
answer: |
The recommended configuration for Delivery Optimization peer-to-peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct internet access and bypass the cloud proxy service:
- question: Does Delivery Optimization use multicast?
answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
- `*.prod.do.dsp.mp.microsoft.com`
If allowing direct internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
- name: Peer-to-Peer related questions
questions:
- question: How does Delivery Optimization determine which content is available for peering?
answer: |
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
- question: Does Delivery Optimization use multicast?
answer: |
No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
- question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?
answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
answer: |
Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819).
- question: How does Delivery Optimization handle VPNs?
answer: |
Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure."
If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable peer caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy.
If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
If you have defined a boundary group in Microsoft Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN.
With split tunneling, make sure to allow direct access to these endpoints:
@ -101,7 +155,6 @@ sections:
- `https://tsfe.trafficshaping.dsp.mp.microsoft.com`
For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444).
- question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address?
answer: |
Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode.
@ -109,36 +162,8 @@ sections:
> [!NOTE]
> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers.
- question: How are downloads initiated by Delivery Optimization?
answer: |
Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
- question: How does Delivery Optimization determine which content is available for peering?
answer: |
Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots.
- question: What is the recommended configuration for Delivery Optimization used with cloud proxies (for example, Zscaler)?
answer: |
The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service:
- `*.prod.do.dsp.mp.microsoft.com`
If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
- question: How do I turn off Delivery Optimization?
answer: |
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
> [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
- name: Device resources questions
questions:
- question: Delivery Optimization is using device resources and I can't tell why?
answer: |
Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download.
- question: What Delivery Optimization settings are available?
answer: |
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc.

20
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -10,11 +10,11 @@ manager: aaroncz
ms.reviewer: mstewart
ms.collection: tier3
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
ms.date: 07/31/2023
ms.date: 02/14/2024
---
# Delivery Optimization reference
@ -59,8 +59,8 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| [Set hours to limit foreground download bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) |DOSetHoursToLimitForegroundDownloadBandwidth | 1803 | Default isn't set. |
| [Delay background download from HTTP (in secs)](#delay-background-download-from-http-in-secs) | DODelayBackgroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
| [Delay foreground download from HTTP (in secs)](#delay-foreground-download-from-http-in-secs) | DODelayForegroundDownloadFromHttp | 1803 | Default isn't set. For peering, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
| [Delay background download Cache Server fallback (in secs)](#delay-background-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackBackground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options.|
| [Delay foreground download Cache Server fallback (in secs)](#delay-foreground-download-cache-server-fallback-in-secs) | DelayCacheServerFallbackForeground | 1903 | Default isn't set. For Microsoft Connected Cache content, use this policy to delay the fallback to the HTTP source. [Learn more](#policies-to-prioritize-the-use-of-peer-to-peer-and-cache-server-sources) about the different delay options. |
| [Cache Server Hostname](#cache-server-hostname) | DOCacheHost | 1809 | No value is set as default. |
| [Cache Server Hostname Source](#cache-server-hostname-source) | DOCacheHostSource | 2004 | No value is set as default. |
| [Maximum download bandwidth](#maximum-download-bandwidth) | DOMaxDownloadBandwidth | 1607 (deprecated in Windows 10, version 2004); use [Maximum background download bandwidth (in KB/s)](#maximum-background-download-bandwidth-in-kbs) or [Maximum foreground download bandwidth (in KB/s)](#maximum-foreground-download-bandwidth-in-kbs) instead)| Default is '0' which will dynamically adjust. |
@ -144,7 +144,7 @@ MDM Setting: **DOGroupID**
By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but don't fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group.
>[!NOTE]
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://blogs.technet.microsoft.com/heyscriptingguy/2013/07/25/powertip-create-a-new-guid-by-using-powershell/)
>To generate a GUID using Powershell, use [```[guid]::NewGuid()```](https://devblogs.microsoft.com/scripting/powertip-create-a-new-guid-by-using-powershell/)
>
>This configuration is optional and not required for most implementations of Delivery Optimization.
@ -161,9 +161,9 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection
- 4 = DNS Suffix
- 5 = Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The default behavior, when the GroupID or GroupIDSource policies aren't set, is to determine the Group ID using AD Site (1), Authenticated domain SID (2) or Microsoft Entra tenant ID (5), in that order. If GroupIDSource is set to either DHCP Option ID (3) or DNS Suffix (4) and those methods fail, the default behavior is used instead. The option set in this policy only applies to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. If you set the value to anything other than 0-5, the policy is ignored.
### Minimum RAM (inclusive) allowed to use Peer Caching
### Minimum RAM (inclusive) allowed to use Peer Caching
MDM Setting: **DOMinRAMAllowedToPeer**
@ -207,7 +207,7 @@ This setting specifies the minimum content file size in MB enabled to use Peer C
MDM Setting: **DOMaxDownloadBandwidth**
Deprecated in Windows 10, version 2004.
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimize the maximum bandwidth used.
This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization dynamically adjusts and optimizes the maximum bandwidth used.
### Maximum Foreground Download Bandwidth
@ -313,7 +313,7 @@ This setting determines whether a device will be allowed to participate in Peer
MDM Setting: **DOVpnKeywords**
This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: “VPN”, “Secure”, and “Virtual Private Network” (ex: “MSFTVPN” matches the “VPN” keyword). As the number of VPNs grow its difficult to support an ever-changing list of VPN names. To address this, weve introduced this new setting to set unique VPN names to meet the needs of individual environments.
This policy allows you to set one or more comma-separated keywords used to recognize VPN connections. **By default, this policy is not set so if a VPN is detected, the device will not use peering.** Delivery Optimization automatically detects a VPN connection by looking at the network adapter's 'Description' and 'FriendlyName' strings using the default keyword list including: "VPN", "Secure", and "Virtual Private Network" (ex: "MSFTVPN" matches the "VPN" keyword). As the number of VPNs grow it's difficult to support an ever-changing list of VPN names. To address this, we've introduced this new setting to set unique VPN names to meet the needs of individual environments.
### Disallow cache server downloads on VPN
@ -335,7 +335,7 @@ The device can download from peers while on battery regardless of this policy.
MDM Setting: **DOCacheHost**
Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, the Microsoft Connected Cache server priority order is determined based on the order as they are listed. If the first server fails, it will move the next one. When the last server fails, it will fallback to the CDN.
Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somerandomhost.com,10.10.1.7. **By default, this policy has no value.** Delivery Optimization client will connect to the listed Microsoft Connected Cache servers in the order as they are listed. When multiple FQDNs or IP Addresses are listed, fallback to the CDN occurs immediately after the first failure in downloading from a cache server, unless the [DelayCacheServerFallbackBackground](#delay-background-download-cache-server-fallback-in-secs) or [DelayCacheServerFallbackForeground](#delay-foreground-download-cache-server-fallback-in-secs) policies are set. When these delay policies are set, the fallback occurs only after the configured delay time and the client continues to attempt connecting to the cache servers in round robin order before the delay time expires.
>[!IMPORTANT]
> Any value will signify that the policy is set. For example, an empty string ("") isn't considered empty.

14
windows/deployment/do/waas-delivery-optimization-setup.md
View File

@ -8,11 +8,11 @@ author: cmknox
ms.author: carmenf
ms.reviewer: mstewart
manager: aaroncz
ms.collection:
ms.collection:
- tier3
- essentials-get-started
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/deployment/do/waas-delivery-optimization target=_blank>Delivery Optimization</a>
@ -119,9 +119,9 @@ This section summarizes common problems and some solutions to try.
If you don't see any bytes coming from peers the cause might be one of the following issues:
- Clients arent able to reach the Delivery Optimization cloud services.
- The cloud service doesnt see other peers on the network.
- Clients arent able to connect to peers that are offered back from the cloud service.
- Clients aren't able to reach the Delivery Optimization cloud services.
- The cloud service doesn't see other peers on the network.
- Clients aren't able to connect to peers that are offered back from the cloud service.
- None of the computers on the network are getting updates from peers.
### Clients aren't able to reach the Delivery Optimization cloud services
@ -136,10 +136,10 @@ Try these steps:
Try these steps:
1. Download the same app on two different devices on the same network, waiting 10 15 minutes between downloads.
1. Download the same app on two different devices on the same network, waiting 10 - 15 minutes between downloads.
2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices.
3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be nonzero.
4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**.
4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for "what is my IP"). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**.
> [!NOTE]
> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer.

11
windows/deployment/docfx.json
View File

@ -42,7 +42,7 @@
"breadcrumb_path": "/windows/resources/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.win-development",
@ -61,13 +61,16 @@
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
"American-Dipper",
"shdyas"
],
"searchScope": ["Windows 10"]
"searchScope": [
"Windows 10"
]
},
"fileMetadata": {},
"template": [],
"dest": "win-development",
"markdownEngineName": "markdig"
}
}
}

167
windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
View File

@ -1,6 +1,6 @@
---
title: Compatibility Fixes for Windows 10, Windows 8, Windows 7, & Windows Vista
description: Find compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10.
description: Find released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10.
manager: aaroncz
ms.author: frankroj
ms.service: windows-client
@ -14,12 +14,12 @@ ms.subservice: itpro-deploy
**Applies to**
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2012
- Windows Server 2008 R2
You can fix some compatibility issues that are due to the changes made between Windows operating system versions. These issues can include User Account Control (UAC) restrictions.
@ -28,131 +28,128 @@ You can fix some compatibility issues that are due to the changes made between W
If you start the Compatibility Administrator as an Administrator (with elevated privileges), all repaired applications can run successfully; however, virtualization and redirection might not occur as expected. To verify that a compatibility fix addresses an issue, you must test the repaired application by running it under the destination user account.
## Compatibility Fixes
The following table lists the known compatibility fixes for all Windows operating systems that have been released from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
The following table lists the known released compatibility fixes for all Windows operating systems from Windows Vista through Windows 10. The fixes are listed in alphabetical order.
|Fix|Fix Description|
|--- |--- |
|8And16BitAggregateBlts|Applications that are mitigated by 8/16-bit mitigation can exhibit performance issues. This layer aggregates all the blt operations and improves performance.|
|8And16BitDXMaxWinMode|Applications that use DX8/9 and are mitigated by the 8/16-bit mitigation are run in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.|
|8And16BitAggregateBlts|8/16-bit mitigation can cause performance issues in applications. This layer aggregates all the blt operations and improves performance.|
|8And16BitDXMaxWinMode|The 8/16-bit mitigation runs applications that use DX8/9 in a maximized windowed mode. This layer mitigates applications that exhibit graphical corruption in full screen mode.|
|8And16BitGDIRedraw|This fix repairs applications that use GDI and that work in 8-bit color mode. The application is forced to repaint its window on RealizePalette.|
|AccelGdipFlush|This fix increases the speed of GdipFlush, which has perf issues in DWM.|
|AoaMp4Converter|This fix resolves a display issue for the AoA Mp4 Converter.|
|BIOSRead|This problem is indicated when an application cannot access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.<p>The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information..|
|BIOSRead|This problem is indicated when an application can't access the **Device\PhysicalMemory** object beyond the kernel-mode drivers, on any of the Windows Server® 2003 operating systems.<p>The fix enables OEM executable (.exe) files to use the GetSystemFirmwareTable function instead of the NtOpenSection function when the BIOS is queried for the **\Device\Physical** memory information.|
|BlockRunasInteractiveUser|This problem occurs when **InstallShield** creates installers and uninstallers that fail to complete and that generate error messages or warnings.<p>The fix blocks **InstallShield** from setting the value of RunAs registry keys to InteractiveUser Because InteractiveUser no longer has Administrator rights.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the BlockRunAsInteractiveUser Fix](/previous-versions/windows/it-pro/windows-7/dd638336(v=ws.10)).</div>|
|ChangeFolderPathToXPStyle|This fix is required when an application cannot return shell folder paths when it uses the **SHGetFolder** API.<p>The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.|
|ChangeFolderPathToXPStyle|This fix is required when an application can't return shell folder paths when it uses the **SHGetFolder** API.<p>The fix intercepts the **SHGetFolder**path request to the common **appdata** file path and returns the Windows® XP-style file path instead of the Windows Vista-style file path.|
|ClearLastErrorStatusonIntializeCriticalSection|This fix is indicated when an application fails to start.<p>The fix modifies the InitializeCriticalSection function call so that it checks the NTSTATUS error code, and then sets the last error to ERROR_SUCCESS.|
|CopyHKCUSettingsFromOtherUsers|This problem occurs when an application's installer must run in elevated mode and depends on the HKCU settings that are provided for other users.<p>The fix scans the existing user profiles and tries to copy the specified keys into the HKEY_CURRENT_USER registry area.<p>You can control this fix further by entering the relevant registry keys as parameters that are separated by the ^ Symbol; for example: Software\MyCompany\Key1^Software\MyCompany\Key2.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the CopyHKCUSettingsFromOtherUsers Fix](/previous-versions/windows/it-pro/windows-7/dd638375(v=ws.10)).</div>|
|CorrectCreateBrushIndirectHatch|The problem is indicated by an access violation error message that displays and when the application fails when you select or crop an image.<p>The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.|
|CorrectFilePaths|The problem is indicated when an application tries to write files to the hard disk and is denied access or receives a file not found or path not found error message.<p>The fixmodifies the file path names to point to a new location on the hard disk.<div class="alert">**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you are applying it to a setup installation file.</div>|
|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.<p>The fix corrects the file paths that are used by the uninstallation process of an application.<div class="alert">**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you are applying it to a setup installation file.</div>|
|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and a taskbar item blinks instead of an elevation prompt being opened, or when the application does not provide a valid HWND value when it calls the ShellExecute(Ex) function.<p>The fixintercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.<div class="alert">**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).</div>|
|CustomNCRender|This fix instructs DWM to not render the non-client area, thereby forcing the application to do its own NC rendering. This often gives windows an XP look.|
|CorrectCreateBrushIndirectHatch|This problem occurs when an access violation error message displays and the application fails when you select or crop an image.<p>The fix corrects the brush style hatch value, which is passed to the CreateBrushIndirect() function and enables the information to be correctly interpreted.|
|CorrectFilePaths|This problem occurs when: <ul><li>An application tries to write files to the hard disk and is denied access.</li><li>An application receives a file not found or path not found error message.</li></ul><p>The fix modifies the file path names to point to a new location on the hard disk.<div class="alert">**Note:** For more detailed information about the CorrectFilePaths application fix, see [Using the CorrectFilePaths Fix](/previous-versions/windows/it-pro/windows-7/cc766201(v=ws.10)). We recommend that you use this fix together with the CorrectFilePathsUninstall fix if you're applying it to a setup installation file.</div>|
|CorrectFilePathsUninstall|This problem occurs when an uninstalled application leaves behind files, directories, and links.<p>The fix corrects the file paths that are used by the uninstallation process of an application.<div class="alert">**Note:** For more detailed information about this fix, see [Using the CorrectFilePathsUninstall Fix](/previous-versions/windows/it-pro/windows-7/dd638414(v=ws.10)). We recommend that you use this fix together with the CorrectFilePaths fix if you're applying it to a setup installation file.</div>|
|CorrectShellExecuteHWND|This problem occurs when you start an executable (.exe) and:<ul><li>A taskbar item blinks instead of an elevation prompt being opened, or when the application doesn't provide a valid HWND value when it calls the ShellExecute(Ex) function.<p>The fix intercepts the ShellExecute(Ex) calls, and then inspects the HWND value. If the value is invalid, this fix enables the call to use the currently active HWND value.<div class="alert">**Note:** For more detailed information about the CorrectShellExecuteHWND application fix, see [Using the CorrectShellExecuteHWND Fix](/previous-versions/windows/it-pro/windows-7/cc722028(v=ws.10)).</div>|
|CustomNCRender|This fix instructs DWM to not render the non-client area forcing the application to do its own NC rendering. This issue often gives windows an XP look.|
|DelayApplyFlag|This fix applies a KERNEL, USER, or PROCESS flag if the specified DLL is loaded.<p>You can control this fix further by typing the following command at the command prompt:<p>`DLL_Name;Flag_Type;Hexidecimal_Value`<br>Where the DLL_Name is the name of the specific DLL, including the file extension. Flag_Type is KERNEL, USER, or PROCESS, and a Hexidecimal_Value, starting with 0x and up to 64 bits long.<div class="alert">**Note:** The PROCESS flag type can have a 32-bit length only. You can separate multiple entries with a backslash ().</div>|
|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.<p>The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.<p>You can control this fix further by typing the following command at the command prompt:<p>`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2`<br>Where Deprecated_Service is the name of the service that has been deprecated and App_Service is the name of the specific application service that is to be modified; for example, NtLmSsp\WMI.<div class="alert">**Note:** If you do not provide an App_Service name, the deprecated service will be removed from all newly created services.</div><div class="alert">**Note:** You can separate multiple entries with a forward slash (/).</div>|
|DirectXVersionLie|This problem occurs when an application fails because it does not find the correct version number for DirectX®.<p>The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.</div><p>You can control this fix further by typing the following command at the command prompt:<br>`MAJORVERSION.MINORVERSION.LETTER`<p>For example, 9.0.c.|
|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8 .|
|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and do not mix direct draw.|
|DeprecatedServiceShim|The problem is indicated when an application tries to install a service that has a dependency on a deprecated service. An error message displays.<p>The fix intercepts the CreateService function calls and removes the deprecated dependency service from the lpDependencies parameter.<p>You can control this fix further by typing the following command at the command prompt:<p>`Deprecated_Service\App_Service/Deprecated_Service2 \App_Service2` where:<ul><li>Deprecated_Service is the name of the deprecated service</li><li>App_Service is the name of the specific application service that is to be modified</li></ul>For example, NtLmSsp\WMI.<div class="alert">**Note:** If you don't provide an App_Service name, the deprecated service is removed from all newly created services.</div><div class="alert">**Note:** You can separate multiple entries with a forward slash (/).</div>|
|DirectXVersionLie|This problem occurs when an application fails because it doesn't find the correct version number for DirectX®.<p>The fix modifies the DXDIAGN GetProp function call to return the correct DirectX version.</div><p>You can control this fix further by typing the following command at the command prompt:<br>`MAJORVERSION.MINORVERSION.LETTER`<p>For example, 9.0.c.|
|DetectorDWM8And16Bit|This fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8 .|
|Disable8And16BitD3D|This fix improves performance of 8/16-bit color applications that render using D3D and don't mix direct draw.|
|Disable8And16BitModes|This fix disables 8/16-bit color mitigation and enumeration of 8/16-bit color modes.|
|DisableDWM|The problem occurs when some objects are not drawn or object artifacts remain on the screen in an application.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).</div>|
|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls do not function properly.<p>The fix disables the fade animations functionality for unsupported applications.|
|DisableThemeMenus|The problem is indicated by an application that behaves unpredictably when it tries to detect and use the correct Windows settings.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.|
|DisableWindowsDefender|The fix disables Windows Defender for security applications that do not work with Windows Defender.|
|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes are not supported in Windows 8.|
|DisableDWM|The problem occurs when some objects aren't drawn or object artifacts remain on the screen in an application.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the DisableDWM Fix](/previous-versions/windows/it-pro/windows-7/cc722418(v=ws.10)).</div>|
|DisableFadeAnimations|The problem is indicated when an application fades animation, buttons, or other controls don't function properly.<p>The fix disables the fade animations functionality for unsupported applications.|
|DisableThemeMenus|The problem occurs when an application behaves unpredictably when it tries to detect and use the correct Windows settings.<p>The fix temporarily disables the Windows Aero menu theme functionality for unsupported applications.|
|DisableWindowsDefender|The fix disables Windows Defender for security applications that don't work with Windows Defender.|
|DWM8And16BitMitigation|The fix offers mitigation for applications that work in 8/16-bit display color mode because these legacy color modes aren't supported in Windows 8.|
|DXGICompat|The fix allows application-specific compatibility instructions to be passed to the DirectX engine.|
|DXMaximizedWindowedMode|Applications that use DX8/9 are run in a maximized windowed mode. This is required for applications that use GDI/DirectDraw in addition to Direct3D.|
|ElevateCreateProcess|The problem is indicated when installations, de-installations, or updates fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.<p>The fixhandles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code will be returned unchanged.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).</div>|
|ElevateCreateProcess|The problem is indicated when: <ul><li>installations</li><li>de-installations</li><li>updates</li></ul> fail because the host process calls the CreateProcess function and it returns an ERROR_ELEVATION_REQUIRED error message.<p>The fix handles the error code and attempts to recall the CreateProcess function together with requested elevation. If the fixed application already has a UAC manifest, the error code is returned unchanged.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ElevateCreateProcess Fix](/previous-versions/windows/it-pro/windows-7/cc722422(v=ws.10)).</div>|
|EmulateOldPathIsUNC|The problem occurs when an application fails because of an incorrect UNC path.<p>The fix exchanges the PathIsUNC function to return a value of True for UNC paths in Windows.|
|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run, and it generates an error message that there is not enough free disk space to install or use the application, even though there is enough free disk space to meet the application requirements.<p>The fix determines the amount of free space, so that if the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB, but if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).</div>|
|EmulateGetDiskFreeSpace|The problem is indicated when an application fails to install or to run. An error message is generated that there isn't enough free disk space to install or use the application. The error message occurs even though there's enough free disk space to meet the application requirements.<p>The fix determines the amount of free space. If the amount of free space is larger than 2 GB, the compatibility fix returns a value of 2 GB. However, if the amount of free space is smaller than 2 GB, the compatibility fix returns the actual-free space amount.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EmulateGetDiskFreeSpace Fix](/previous-versions/windows/it-pro/windows-7/ff720129(v=ws.10)).</div>|
|EmulateSorting|The problem occurs when an application experiences search functionality issues.<p>The fix forces applications that use the CompareStringW/LCMapString sorting table to use an older version of the table.<div class="alert">**Note:** For more detailed information about this e application fix, see [Using the EmulateSorting Fix](/previous-versions/windows/it-pro/windows-7/cc749209(v=ws.10)).</div>|
|EmulateSortingWindows61|The fix emulates the sorting order of Windows 7 and Windows Server 2008 R2 for various APIs.|
|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes cannot end to allow the computer to complete its restart processes.<p>The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).</div>|
|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.<p>The fix counteracts the application's tries to obtain the shell desktop folder by invoking the AddRef() method on the Desktop folder, which is returned by the SHGetDesktopFolder function.|
|EnableRestarts|The problem is indicated when an application and computer appear to hang because processes can't end to allow the computer to complete its restart processes.<p>The fix enables the computer to restart and finish the installation process by verifying and enabling that the SeShutdownPrivilege service privilege exists.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the EnableRestarts Fix](/previous-versions/windows/it-pro/windows-7/ff720128(v=ws.10)).</div>|
|ExtraAddRefDesktopFolder|The problem occurs when an application invokes the Release() method too many times and causes an object to be prematurely destroyed.<p>The fix invokes the AddRef() method on the Desktop folder, which the SHGetDesktopFolder function returns, to counteract the problem.|
|FailObsoleteShellAPIs|The problem occurs when an application fails because it generated deprecated API calls.<p>The fix either fully implements the obsolete functions or implements the obsolete functions with stubs that fail.<div class="alert">**Note:** You can type FailAll=1 at the command prompt to suppress the function implementation and force all functions to fail.</div>|
|FailRemoveDirectory|The problem occurs when an application uninstallation process does not remove all of the application files and folders.<p>This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path no partial paths are supported.<p>The fixcan resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.|
|FakeLunaTheme|The problem occurs when a theme application does not properly display: the colors are washed out or the user interface is not detailed.<p>The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).<div class="alert">**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).</div>|
|FlushFile|This problem is indicated when a file is updated and changes do not immediately appear on the hard disk. Applications cannot see the file changes.<p>The fixenables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.|
|FailRemoveDirectory|The problem occurs when an application uninstall process doesn't remove all of the application files and folders.<p>This fix fails calls to RemoveDirectory() when called with a path matching the one specified in the shim command line. Only a single path is supported. The path can contain environment variables, but must be an exact path - no partial paths are supported.<p>The fix resolves an issue where an application expects RemoveDirectory() to delete a folder immediately even though a handle is open to it.|
|FakeLunaTheme|The problem occurs when a theme application doesn't properly display: the colors are washed out or the user interface isn't detailed.<p>The fix intercepts the GetCurrentThemeName API and returns the value for the Windows XP default theme (Luna).<div class="alert">**Note:** For more detailed information about the FakeLunaTheme application fix, see [Using the FakeLunaTheme Fix](/previous-versions/windows/it-pro/windows-7/cc766315(v=ws.10)).</div>|
|FlushFile|This problem is indicated when a file is updated and changes don't immediately appear on the hard disk. Applications can't see the file changes.<p>The fix enables the WriteFile function to call to the FlushFileBuffers APIs, which flush the file cache onto the hard disk.|
|FontMigration|The fix replaces an application-requested font with a better font selection, to avoid text truncation.|
|ForceAdminAccess|The problem occurs when an application fails to function during an explicit administrator check.<p>The fix allows the user to temporarily imitate being a part of the Administrators group by returning a value of True during the administrator check.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the ForceAdminAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766024(v=ws.10)).</div>|
|ForceInvalidateOnClose|The fix invalidates any windows that exist under a closing or hiding window for applications that rely on the invalidation messages.|
|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation is not automatically applied.|
|ForceLoadMirrorDrvMitigation|The fix loads the Windows 8-mirror driver mitigation for applications where the mitigation isn't automatically applied.|
|FreestyleBMX|The fix resolves an application race condition that is related to window message order.|
|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it cannot install to a user-specified location.<p>The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.|
|GlobalMemoryStatusLie|The problem is indicated by a Computer memory full error message that displays when you start an application.<p>The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.|
|HandleBadPtr|The problem is indicated by an access violation error message that displays because an API is performing pointer validation before it uses a parameter.<p>The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.|
|HandleMarkedContentNotIndexed|The problem is indicated by an application that fails when it changes an attribute on a file or directory.<p>The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory, and resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.|
|GetDriveTypeWHook|The application presents unusual behavior during installation; for example, the setup program states that it can't install to a user-specified location.<p>The fix exchanges GetDriveType() so that only the root information appears for the file path. This is required when an application passes an incomplete or badly formed file path when it tries to retrieve the drive type on which the file path exists.|
|GlobalMemoryStatusLie|The problem occurs when a Computer memory full error message that displays when you start an application.<p>The fix modifies the memory status structure, so that it reports a swap file that is 400 MB, regardless of the true swap file size.|
|HandleBadPtr|The problem occurs when an access violation error message that displays because an API is performing pointer validation before it uses a parameter.<p>The fix supports using lpBuffer validation from the InternetSetOptionA and InternetSetOptionW functions to perform the more parameter validation.|
|HandleMarkedContentNotIndexed|The problem occurs when an application that fails when it changes an attribute on a file or directory.<p>The fix intercepts any API calls that return file attributes and directories that are invoked from the %TEMP% directory. The fix then resets the FILE_ATTRIBUTE_NOT_CONTENT_INDEXED attribute to its original state.|
|HeapClearAllocation|The problem is indicated when the allocation process shuts down unexpectedly.<p>The fix uses zeros to clear out the heap allocation for an application.|
|IgnoreAltTab|The problem occurs when an application fails to function when special key combinations are used.<p>The fix intercepts the RegisterRawInputDevices API and prevents the delivery of the WM_INPUT messages. This delivery failure forces the included hooks to be ignored and forces DInput to use Windows-specific hooks.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreAltTab Fix](/previous-versions/windows/it-pro/windows-7/cc722093(v=ws.10)).</div>|
|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems that have ntdll loaded above 4 GB.|
|IgnoreDirectoryJunction|The problem is indicated by a read or access violation error message that displays when an application tries to find or open files.<p>The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.<div class="alert">**Note:** Symbolic links appear to start in Windows Vista.</div>|
|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.<p>The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.<p>You can control this fix further by typing the following command at the command prompt:<p>`Exception1;Exception2`<br>Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.<p>**Important:** You should use this compatibility fix only if you are certain that it is acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).</div>|
|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.<p>Before floating point SSE2 support in the C runtime library, the rounding control request was being ignored which would use round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.|
|IgnoreChromeSandbox|The fix allows Google Chrome to run on systems where ntdll is loaded above 4 GB.|
|IgnoreDirectoryJunction|The problem occurs when a read or access violation error message that displays when an application tries to find or open files.<p>The fix links the FindNextFileW, FindNextFileA, FindFirstFileExW, FindFirstFileExA, FindFirstFileW, and FindFirstFileA APIs to prevent them from returning directory junctions.<div class="alert">**Note:** Symbolic links appear to start in Windows Vista.</div>|
|IgnoreException|The problem is indicated when an application stops functioning immediately after it starts, or the application starts with only a cursor appearing on the screen.<p>The fix enables the application to ignore specified exceptions. By default, this fix ignores privileged-mode exceptions; however, it can be configured to ignore any exception.<p>You can control this fix further by typing the following command at the command prompt:<p>`Exception1;Exception2`<br>Where Exception1 and Exception2 are specific exceptions to be ignored. For example: ACCESS_VIOLATION_READ:1;ACCESS_VIOLATION_WRITE:1.<p>**Important:** You should use this compatibility fix only if you're certain that it's acceptable to ignore the exception. You might experience more compatibility issues if you choose to incorrectly ignore an exception.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreException Fix](/previous-versions/windows/it-pro/windows-7/cc766154(v=ws.10)).</div>|
|IgnoreFloatingPointRoundingControl|This fix enables an application to ignore the rounding control request and to behave as expected in previous versions of the application.<p>Before the C runtime library supported floating point SSE2, it ignored the rounding control request and used the round to nearest option by default. This shim ignores the rounding control request to support applications relying on old behavior.|
|IgnoreFontQuality|The problem occurs when application text appears to be distorted.<p>The fix enables color-keyed fonts to properly work with anti-aliasing.|
|IgnoreMessageBox|The problem is indicated by a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.<p>The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).</div>|
|IgnoreMSOXMLMF|The problem is indicated by an error message that states that the operating system cannot locate the MSVCR80D.DLL file.<p>The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix will just ignore the registered MSOXMLMF and fail the CoGetClassObject for its CLSID.|
|IgnoreMessageBox|The problem occurs when a message box that displays with debugging or extraneous content when the application runs on an unexpected operating system.<p>The fix intercepts the MessageBox* APIs and inspects them for specific message text. If matching text is found, the application continues without showing the message box.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the IgnoreMessageBox Fix](/previous-versions/windows/it-pro/windows-7/cc749044(v=ws.10)).</div>|
|IgnoreMSOXMLMF|The problem occurs when an error message that states that the operating system can't locate the MSVCR80D.DLL file.<p>The fix ignores the registered MSOXMLMF.DLL object, which Microsoft® Office 2007 loads into the operating system anytime that you load an XML file, and then it fails the CoGetClassObject for its CLSID. This compatibility fix ignores the registered MSOXMLMF and fails the CoGetClassObject for its CLSID.|
|IgnoreSetROP2|The fix ignores read-modify-write operations on the desktop to avoid performance issues.|
|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET is not included with Windows 8.|
|InstallComponent|The fix prompts the user to install.Net 3.5 or .NET 2.0 because .NET isn't included with Windows 8.|
|LoadLibraryRedirect|The fix forces an application to load system versions of libraries instead of loading redistributable versions that shipped with the application.|
|LocalMappedObject|The problem occurs when an application unsuccessfully tries to create an object in the Global namespace.<p>The fix intercepts the function call to create the object and replaces the word Global with Local.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the LocalMappedObject Fix](/previous-versions/windows/it-pro/windows-7/cc749287(v=ws.10)).</div>|
|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.<p>The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installation, thereby enabling the uninstallation to occur later.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))</div>|
|MakeShortcutRunas|The problem is indicated when an application fails to uninstall because of access-related errors.<p>The fix locates any RunDLL.exe-based uninstallers and forces them to run with different credentials during the application installation. After it applies this fix, the installer will create a shortcut that specifies a matching string to run during the application installationenabling the uninstallation to occur later.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the MakeShortcutRunas Fix](/previous-versions/windows/it-pro/windows-7/dd638338(v=ws.10))</div>|
|ManageLinks|The fix intercepts common APIs that are going to a directory or to an executable (.exe) file, and then converts any symbolic or directory junctions before passing it back to the original APIs.|
|MirrorDriverWithComposition|The fix allows mirror drivers to work properly with acceptable performance with desktop composition.|
|MoveToCopyFileShim|The problem occurs when an application experiences security access issues during setup.<p>The fix forces the CopyFile APIs to run instead of the MoveFile APIs. CopyFile APIs avoid moving the security descriptor, which enables the application files to get the default descriptor of the destination folder and prevents the security access issue.|
|OpenDirectoryAcl|The problem is indicated by an error message that states that you do not have the appropriate permissions to access the application.<p>The fix reduces the security privilege levels on a specified set of files and folders.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).</div>|
|OpenDirectoryAcl|The problem occurs when an error message that states that you don't have the appropriate permissions to access the application.<p>The fix reduces the security privilege levels on a specified set of files and folders.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the OpenDirectoryACL Fix](/previous-versions/windows/it-pro/windows-7/dd638417(v=ws.10)).</div>|
|PopCapGamesForceResPerf|The fix resolves the performance issues in PopCap games like Bejeweled2. The performance issues are visible in certain low-end cards at certain resolutions where the 1024x768 buffer is scaled to fit the display resolution.|
|PreInstallDriver|The fix preinstalls drivers for applications that would otherwise try to install or start drivers during the initial start process.|
|PreInstallSmarteSECURE|The fix preinstalls computer-wide CLSIDs for applications that use SmartSECURE copy protection, which would otherwise try to install the CLSIDs during the initial start process.|
|ProcessPerfData|The problem is indicated by an Unhandled Exception error message because the application tried to read the process performance data registry value to determine if another instance of the application is running.<p>The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it is the only instance running.<div class="alert">**Note:** This issue seems to occur most frequently with .NET applications.|
|ProcessPerfData|The problem occurs because the application tried to read the process performance data registry value to determine if another instance of the application is running. This problem results in an Unhandled Exception error message.<p>The fix handles the failure case by passing a fake process performance data registry key, so that the application perceives that it's the only instance running.<div class="alert">**Note:** This issue seems to occur most frequently with .NET applications.|
|PromoteDAM|The fix registers an application for power state change notifications.</div>|
|PropagateProcessHistory|The problem occurs when an application incorrectly fails to apply an application fix.<p>The fix sets the _PROCESS_HISTORY environment variable so that child processes can look in the parent directory for matching information while searching for application fixes.|
|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.<p>The fix addresses the issues that occur when applications use non-standard Administrator checks, thereby generating false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but it is set as deny-only.|
|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume, thereby redirecting the calls to a temporary file in the user's temporary directory.|
|RedirectHKCUKeys|The problem occurs when an application cannot be accessed because of User Account Control (UAC) restrictions.<p>The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.|
|RedirectMP3Codec|This problem occurs when you cannot play MP3 files.<p>The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.|
|RedirectShortcut|The problem occurs when an application cannot be accessed by its shortcut, or application shortcuts are not removed during the application uninstallation process.<p>The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.<p>Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.<br>Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.<p>This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user cannot access the shortcuts.<p>You cannot apply this fix to an .exe file that includes a manifest and provides a run level.|
|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they are started from a host application.<p>The fix enables a child .exe file to run with elevated privileges when it is difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).</div>|
|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.<p>The fix retries the call and requests a more restricted set of rights that include the following:<li>SC_MANAGER_CONNECT<li>SC_MANAGER_ENUMERATE_SERVICE<li>SC_MANAGER_QUERY_LOCK_STATUS<li>STANDARD_READ_RIGHTS<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).</div>|
|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.<p>The fix retries the OpenService() API call and verifies that the user has Administrator rights, is not a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this to work<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).</div>|
|ProtectedAdminCheck|The problem occurs when an application fails to run because of incorrect Protected Administrator permissions.<p>The fix addresses the issues that occur when applications use non-standard Administrator checks. This issue can result in false positives for user accounts that are being run as Protected Administrators. In this case, the associated SID exists, but the SID is set as deny-only.|
|RedirectCRTTempFile|The fix intercepts failing CRT calls that try to create a temporary file at the root of the volume. The fix instead redirects the calls to a temporary file in the user's temporary directory.|
|RedirectHKCUKeys|The problem occurs when an application can't be accessed because of User Account Control (UAC) restrictions.<p>The fix duplicates any newly created HKCU keys to other users' HKCU accounts. This fix is generic for UAC restrictions, whereby the HKCU keys are required, but are unavailable to an application at runtime.|
|RedirectMP3Codec|This problem occurs when you can't play MP3 files.<p>The fix intercepts the CoCreateInstance call for the missing filter and then redirects it to a supported version.|
|RedirectShortcut|The problem occurs when an application's shortcut can't be accessed, or the application uninstallation process doesn't remove application shortcuts.<p>The fix redirects all of the shortcuts created during the application setup to appear according to a specified path.<p>Start Menu shortcuts: Appear in the \ProgramData\Microsoft\Windows\Start Menu directory for all users.<br>Desktop or Quick Launch shortcuts: You must manually place the shortcuts on the individual user's desktop or Quick Launch bar.<p>This issue occurs because of UAC restrictions: specifically, when an application setup runs by using elevated privileges and stores the shortcuts according to the elevated user's context. In this situation, a restricted user can't access the shortcuts.<p>You can't apply this fix to an .exe file that includes a manifest and provides a run level.|
|RelaunchElevated|The problem occurs when installers, uninstallers, or updaters fail when they're started from a host application.<p>The fix enables a child .exe file to run with elevated privileges when it's difficult to determine the parent process with either the ElevateCreateProcess fix or by marking the .exe files to RunAsAdmin.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RelaunchElevated Fix](/previous-versions/windows/it-pro/windows-7/dd638373(v=ws.10)).</div>|
|RetryOpenSCManagerWithReadAccess|The problem occurs when an application tries to open the Service Control Manager (SCM) and receives an Access Denied error message.<p>The fix retries the call and requests a more restricted set of rights that include the following items:<li>SC_MANAGER_CONNECT<li>SC_MANAGER_ENUMERATE_SERVICE<li>SC_MANAGER_QUERY_LOCK_STATUS<li>STANDARD_READ_RIGHTS<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenSCManagerwithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc721915(v=ws.10)).</div>|
|RetryOpenServiceWithReadAccess|The problem occurs when an Unable to open service due to your application using the OpenService() API to test for the existence of a particular service error message displays.<p>The fix retries the OpenService() API call and verifies that the user has Administrator rights, isn't a Protected Administrator, and by using read-only access. Applications can test for the existence of a service by calling the OpenService() API but some applications ask for all access when making this check. This fix retries the call but only asking for read-only access. The user needs to be an administrator for this fix to work<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RetryOpenServiceWithReadAccess Fix](/previous-versions/windows/it-pro/windows-7/cc766423(v=ws.10)).</div>|
|RunAsAdmin|The problem occurs when an application fails to function by using the Standard User or Protected Administrator account.<p>The fix enables the application to run by using elevated privileges. The fix is the equivalent of specifying requireAdministrator in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsAdmin Fix](/previous-versions/windows/it-pro/windows-7/dd638315(v=ws.10)).</div>|
|RunAsHighest|The problem occurs when administrators cannot view the read/write version of an application that presents a read-only view to standard users.<p>The fix enables the application to run by using the highest available permissions. This is the equivalent of specifying highestAvailable in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).</div>|
|RunAsInvoker|The problem occurs when an application is not detected as requiring elevation.<p>The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This is the equivalent of specifying asInvoker in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).</div>|
|RunAsHighest|The problem occurs when administrators can't view the read/write version of an application that presents a read-only view to standard users.<p>The fix enables the application to run by using the highest available permissions. This fix is the equivalent of specifying highestAvailable in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsHighest Fix](/previous-versions/windows/it-pro/windows-7/dd638322(v=ws.10)).</div>|
|RunAsInvoker|The problem occurs when an application isn't detected as requiring elevation.<p>The fix enables the application to run by using the privileges that are associated with the creation process, without requiring elevation. This fix is the equivalent of specifying asInvoker in an application manifest.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the RunAsInvoker Fix](/previous-versions/windows/it-pro/windows-7/dd638389(v=ws.10)).</div>|
|SecuROM7|The fix repairs applications by using SecuROM7 for copy protection.|
|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.<p>At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.<p>**Important:** Users cannot log in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).</div>|
|SessionShim|The fix intercepts API calls from applications that are trying to interact with services that are running in another session, by using the terminal service name prefix (Global or Local) as the parameter.<p>At the command prompt, you can supply a list of objects to modify, separating the values by a double backslash (). Or, you can choose not to include any parameters, so that all of the objects are modified.<p>**Important:** Users can't sign in as Session 0 (Global Session) in Windows Vista and later. Therefore, applications that require access to Session 0 automatically fail.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SessionShim Fix](/previous-versions/windows/it-pro/windows-7/cc722085(v=ws.10)).</div>|
|SetProtocolHandler|The fix registers an application as a protocol handler.<p>You can control this fix further by typing the following command at the command prompt:`Client;Protocol;App`<br>Where the Client is the name of the email protocol, Protocol is mailto, and App is the name of the application.<div class="alert">**Note:** Only the mail client and the mailto protocol are supported. You can separate multiple clients by using a backslash ().</div>|
|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.<p>The fixdisables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.|
|SetupCommitFileQueueIgnoreWow|The problem occurs when a 32-bit setup program fails to install because it requires 64-bit drivers.<p>The fix disables the Wow64 file system that is used by the 64-bit editions of Windows, to prevent 32-bit applications from accessing 64-bit file systems during the application setup.|
|SharePointDesigner2007|The fix resolves an application bug that severely slows the application when it runs in DWM.|
|ShimViaEAT|The problem occurs when an application fails, even after applying acompatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.<p>The fixapplies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.<div class="alert">**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).</div>|
|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.<p>The fixintercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.|
|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation, thereby preventing bugcheck.|
|ShimViaEAT|The problem occurs when an application fails, even after applying a compatibility fix that is known to fix an issue. Applications that use unicows.dll or copy protection often present this issue.<p>The fix applies the specified compatibility fixes by modifying the export table and by nullifying the use of module inclusion and exclusion.<div class="alert">**Note:** For more information about this application fix, see [Using the ShimViaEAT Fix](/previous-versions/windows/it-pro/windows-7/cc766286(v=ws.10)).</div>|
|ShowWindowIE|The problem occurs when a web application experiences navigation and display issues because of the tabbing feature.<p>The fix intercepts the ShowWindow API call to address the issues that can occur when a web application determines that it is in a child window. This fix calls the real ShowWindow API on the top-level parent window.|
|SierraWirelessHideCDROM|The fix repairs the Sierra Wireless Driver installation preventing bugcheck.|
|Sonique2|The application uses an invalid window style, which breaks in DWM. This fix replaces the window style with a valid value.|
|SpecificInstaller|The problem occurs when an application installation file fails to be picked up by the GenericInstaller function.<p>The fixflags the application as being an installer file (for example, setup.exe), and then prompts for elevation.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).</div>|
|SpecificNonInstaller|The problem occurs when an application that is not an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.<p>The fixflags the application to exclude it from detection by the GenericInstaller function.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).</div>|
|SpecificInstaller|The problem occurs when the GenericInstaller function fails to pick up an application installation file.<p>The fix flags the application as being an installer file (for example, setup.exe), and then prompts for elevation.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638397(v=ws.10)).</div>|
|SpecificNonInstaller|The problem occurs when an application that isn't an installer (and has sufficient privileges) generates a false positive from the GenericInstaller function.<p>The fix flags the application to exclude it from detection by the GenericInstaller function.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the SpecificNonInstaller Fix](/previous-versions/windows/it-pro/windows-7/dd638326(v=ws.10)).</div>|
|SystemMetricsLie|The fix replaces SystemMetrics values and SystemParametersInfo values with the values of previous Windows versions.|
|TextArt|The application receives different mouse coordinates with DWM ON versus DWM OFF, which causes the application to hang. This fix resolves the issue.|
|TrimDisplayDeviceNames|The fix trims the names of the display devices that are returned by the EnumDisplayDevices API.|
|TrimDisplayDeviceNames|The fix trims the names returned by the EnumDisplayDevices API of the display devices.|
|UIPICompatLogging|The fix enables the logging of Windows messages from Internet Explorer and other processes.|
|UIPIEnableCustomMsgs|The problem occurs when an application does not properly communicate with other processes because customized Windows messages are not delivered.<p>The fixenables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`MessageString1 MessageString2`<br>Where MessageString1 and MessageString2 reflect the message strings that can pass.<div class="alert">**Note:** Multiple message strings must be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).</div>|
|UIPIEnableStandardMsgs|The problem occurs when an application does not communicate properly with other processes because standard Windows messages are not delivered.<p>The fixenables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`1055 1056 1069`<p>Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.<div class="alert">**Note:** Multiple messages can be separated by spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).</div>|
|UIPIEnableCustomMsgs|The problem occurs when an application doesn't properly communicate with other processes because customized Windows messages aren't delivered.<p>The fix enables customized Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the RegisterWindowMessage function, followed by the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`MessageString1 MessageString2`<br>Where MessageString1 and MessageString2 reflect the message strings that can pass.<div class="alert">**Note:** You must separate multiple message strings by spaces. For more detailed information about this application fix, see [Using the UIPIEnableCustomMsgs Fix](/previous-versions/windows/it-pro/windows-7/dd638320(v=ws.10)).</div>|
|UIPIEnableStandardMsgs|The problem occurs when an application doesn't communicate properly with other processes because standard Windows messages aren't delivered.<p>The fix enables standard Windows messages to pass through to the current process from a lower Desktop integrity level. This fix is the equivalent of calling the ChangeWindowMessageFilter function in the code.<p>You can control this fix further by typing the following command at the command prompt:<p>`1055 1056 1069`<p>Where 1055 reflects the first message ID, 1056 reflects the second message ID, and 1069 reflects the third message ID that can pass.<div class="alert">**Note:** You can separate multiple messages with spaces. For more detailed information about this application fix, see [Using the UIPIEnableStandardMsgs Fix [act]](/previous-versions/windows/it-pro/windows-7/dd638361(v=ws.10)).</div>|
|VirtualizeDeleteFileLayer|The fix virtualizes DeleteFile operations for applications that try to delete protected files.|
|VirtualizeDesktopPainting|This fix improves the performance of a number of operations on the Desktop DC while using DWM.|
|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.<p>The fixenables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.<p>For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).|
|VirtualizeDeleteFile|The problem occurs when several error messages display and the application cannot delete files.<p>The fixmakes the application's DeleteFile function call a virtual call in an effort to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).</div>|
|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.<p>The fixredirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.<p>HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application is not elevated and is ignored if the application is elevated.<p>You typically will use this compatibility fix in conjunction with the VirtualizeRegisterTypeLib fix.<br>For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
|VirtualizeRegisterTypeLib|The fix, when it is used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).</div>|
|WaveOutIgnoreBadFormat|This problem is indicated by an error message that states: Unable to initialize sound device from your audio driver; the application then closes.<p>The fixenables the application to ignore the format error and continue to function properly.|
|WerDisableReportException|The fix turns off the silent reporting of exceptions to the Windows Error Reporting tool, including those that are reported by Object Linking and Embedding-Database (OLE DB). The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.|
|VirtualizeDesktopPainting|This fix improves the performance of several operations on the Desktop DC while using DWM.|
|VirtualRegistry|The problem is indicated when a Component failed to be located error message displays when an application is started.<p>The fix enables the registry functions to allow for virtualization, redirection, expansion values, version spoofing, the simulation of performance data counters, and so on.<p>For more detailed information about this application fix, see [Using the VirtualRegistry Fix](/previous-versions/windows/it-pro/windows-7/cc749368(v=ws.10)).|
|VirtualizeDeleteFile|The problem occurs when several error messages display and the application can't delete files.<p>The fix makes the application's DeleteFile function call a virtual call to remedy the UAC and file virtualization issues that were introduced with Windows Vista. This fix also links other file APIs (for example, GetFileAttributes) to ensure that the virtualization of the file is deleted.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeDeleteFile Fix](/previous-versions/windows/it-pro/windows-7/dd638360(v=ws.10)).</div>|
|VirtualizeHKCRLite|The problem occurs when an application fails to register COM components at runtime.<p>The fix redirects the HKCR write calls (HKLM) to the HKCU hive for a per-user COM registration. This fix operates much like the VirtualRegistry fix when you use the VirtualizeHKCR parameter; however, VirtualizeHKCRLite provides better performance.<p>HKCR is a virtual merge of the HKCU\Software\Classes and HKLM\Software\Classes directories. The use of HKCU is preferred if an application isn't elevated and is ignored if the application is elevated.<p>You typically use this compatibility fix with the VirtualizeRegisterTypeLib fix.<br>For more detailed information about this application fix, see [Using the VirtualizeHKCRLite Fix](/previous-versions/windows/it-pro/windows-7/dd638327(v=ws.10)).|
|VirtualizeRegisterTypeLib|The fix when used with the VirtualizeHKCRLite fix, ensures that the type library and the COM class registration happen simultaneously. This fix functions much like the RegistryTypeLib fix when the RegisterTypeLibForUser parameter is used.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the VirtualizeRegisterTypelib Fix](/previous-versions/windows/it-pro/windows-7/dd638385(v=ws.10)).</div>|
|WaveOutIgnoreBadFormat|When this problem occurs when an Unable to initialize sound device from your audio driver error occurs; the application then closes.<p>The fix enables the application to ignore the format error and continue to function properly.|
|WerDisableReportException|The fix turns off the silent reporting of exceptions, including those exceptions reported by Object Linking and Embedding-Database (OLE DB), to the Windows Error Reporting tool. The fix intercepts the RtlReportException API and returns a STATUS_NOT_SUPPORTED error message.|
|Win7RTM/Win8RTM|The layer provides the application with Windows 7/Windows 8 compatibility mode.|
|WinxxRTMVersionLie|The problem occurs when an application fails because it does not find the correct version number for the required Windows operating system.<p>All version lie compatibility fixes address the issue whereby an application fails to function because it is checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.|
|Wing32SystoSys32|The problem is indicated by an error message that states that the WinG library was not properly installed.<p>The fixdetects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.<p>**Important:** The application must have Administrator privileges for this fix to work.|
|WinxxRTMVersionLie|The problem occurs when an application fails because it doesn't find the correct version number for the required Windows operating system.<p>All version lie compatibility fixes address the issue whereby an application fails to function because it's checking for, but not finding, a specific version of the operating system. The version lie fix returns the appropriate operating system version information. For example, the VistaRTMVersionLie returns the Windows Vista version information to the application, regardless of the actual operating system version that is running on the computer.|
|Wing32SystoSys32|The problem occurs when an error message that states that the WinG library wasn't properly installed.<p>The fix detects whether the WinG32 library exists in the correct directory. If the library is located in the wrong location, this fix copies the information (typically during the runtime of the application) into the %WINDIR% \system32 directory.<p>**Important:** The application must have Administrator privileges for this fix to work.|
|WinSrv08R2RTM||
|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.<p>The fixforces the application to follow these steps:<li>Open the Compatibility Administrator, and then select None for Operating System Mode.<li>On the Compatibility Fixes page, click WinXPSP2VersionLie, and then click Parameters.<li>The Options for &lt;fix_name&gt; dialog box appears.<li>Type vbrun60.dll into the Module Name box, click Include, and then click Add.<li>Save the custom database.<div class="alert">**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).</div>|
|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.<p>The fixskips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.<p>You can control this fix further by typing the following command at the command prompt:<p>`Component1.dll;Component2.dll`<br>Where Component1.dll and Component2.dll reflect the components to be skipped.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).</div>|
|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.<p>The fixemulates the successful authentication and modification of file and registry APIs, so that the application can continue.<div class="alert">**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).</div>|
|WRPRegDeleteKey|The problem is indicated by an access denied error message that displays when the application tries to delete a registry key.<p>The fixverifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.|
|WinXPSP2VersionLie|The problem occurs when an application experiences issues because of a VB runtime DLL.<p>The fix forces the application to follow these steps:<li>Open the Compatibility Administrator, and then select None for Operating System Mode.<li>On the Compatibility Fixes page, select WinXPSP2VersionLie, and then select Parameters.<li>The Options for /<fix_name/>; dialog box appears.<li>Type vbrun60.dll into the Module Name box, select Include, and then select Add.<li>Save the custom database.<div class="alert">**Note:** For more information about the WinXPSP2VersionLie application fix, see [Using the WinXPSP2VersionLie Fix](/previous-versions/windows/it-pro/windows-7/cc749518(v=ws.10)).</div>|
|WRPDllRegister|The application fails when it tries to register a COM component that is released together with Windows Vista and later.<p>The fix skips the processes of registering and unregistering WRP-protected COM components when calling the DLLRegisterServer and DLLUnregisterServer functions.<p>You can control this fix further by typing the following command at the command prompt:<p>`Component1.dll;Component2.dll`<br>Where Component1.dll and Component2.dll reflect the components to be skipped.<div class="alert">**Note:** For more detailed information about this application fix, see [Using the WRPDllRegister Fix](/previous-versions/windows/it-pro/windows-7/dd638345(v=ws.10)).</div>|
|WRPMitigation|The problem is indicated when an access denied error message displays when the application tries to access a protected operating system resource by using more than read-only access.<p>The fix emulates the successful authentication and modification of file and registry APIs, so that the application can continue.<div class="alert">**Note:** For more detailed information about WRPMitigation, see [Using the WRPMitigation Fix](/previous-versions/windows/it-pro/windows-7/dd638325(v=ws.10)).</div>|
|WRPRegDeleteKey|The problem occurs when an access denied error message that displays when the application tries to delete a registry key.<p>The fix verifies whether the registry key is WRP-protected. If the key is protected, this fix emulates the deletion process.|
|XPAfxIsValidAddress|The fix emulates the behavior of Windows XP for MFC42!AfxIsValidAddress.|
## Compatibility Modes
@ -161,5 +158,5 @@ The following table lists the known compatibility modes.
|Compatibility Mode Name|Description|Included Compatibility Fixes|
|--- |--- |--- |
|WinSrv03|Emulates the Windows Server 2003 operating system.|<li>Win2k3RTMVersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>GlobalMemoryStatus2GB<li>RedirectMP3Codec<li>EnableLegacyExceptionHandlinginOLE<li>NoGhost<li>HardwareAudioMixer|
|WinSrv03|Emulates the Windows Server 2003 operating system.|<li>Win2k3RTMVersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>GlobalMemoryStatus2 GB<li>RedirectMP3Codec<li>EnableLegacyExceptionHandlinginOLE<li>NoGhost<li>HardwareAudioMixer|
|WinSrv03Sp1|Emulates the Windows Server 2003 with Service Pack 1 (SP1) operating system.|<li>Win2K3SP1VersionLie<li>VirtualRegistry<li>ElevateCreateProcess<li>EmulateSorting<li>FailObsoleteShellAPIs<li>LoadLibraryCWD<li>HandleBadPtr<li>EnableLegacyExceptionHandlinginOLE<li>RedirectMP3Codec<li>HardwareAudioMixer|

52
windows/deployment/planning/windows-10-enterprise-faq-itpro.yml
View File

@ -9,7 +9,7 @@ metadata:
ms.localizationpriority: medium
ms.sitesec: library
ms.date: 10/28/2022
ms.reviewer:
ms.reviewer:
author: frankroj
ms.author: frankroj
manager: aaroncz
@ -26,17 +26,17 @@ sections:
Where can I download Windows 10 Enterprise?
answer: |
If you have Windows volume licenses with Software Assurance, or if you have purchased licenses for Windows 10 Enterprise volume licenses, you can download 32-bit and 64-bit versions of Windows 10 Enterprise from the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). If you don't have current Software Assurance for Windows and would like to purchase volume licenses for Windows 10 Enterprise, contact your preferred Microsoft Reseller or see [How to purchase through Volume Licensing](https://www.microsoft.com/Licensing/how-to-buy/how-to-buy.aspx).
- question: |
What are the system requirements?
answer: |
For details, see [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752).
For details, see [Windows 10 Enterprise system requirements](https://www.microsoft.com/windows/Windows-10-specifications#areaheading-uid09f4).
- question: |
What are the hardware requirements for Windows 10?
answer: |
Most computers that are compatible with Windows 8.1 will be compatible with Windows 10. You may need to install updated drivers in Windows 10 for your devices to properly function. For more information, see [Windows 10 specifications](https://www.microsoft.com/windows/windows-10-specifications).
- question: |
Can I evaluate Windows 10 Enterprise?
answer: |
@ -55,17 +55,17 @@ sections:
- [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment)
- [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984)
- [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html)
- question: |
Where can I find out if an application or device is compatible with Windows 10?
answer: |
Many existing Win32 and Win64 applications already run reliably on Windows 10 without any changes. You can also expect strong compatibility and support for Web apps and devices.
- question: |
Is there an easy way to assess if my organization's devices are ready to upgrade to Windows 10?
answer: |
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) provides powerful insights and recommendations about the computers, applications, and drivers in your organization, at no extra cost and without other infrastructure requirements. This service guides you through your upgrade and feature update projects using a workflow based on Microsoft recommended practices. Up-to-date inventory data allows you to balance cost and risk in your upgrade projects.
- name: Administration and deployment
questions:
- question: |
@ -78,36 +78,36 @@ sections:
- [MDT](/mem/configmgr/mdt) is a collection of tools, processes, and guidance for automating desktop and server deployment.
- The [Windows ADK](/windows-hardware/get-started/adk-install) has tools that allow you to customize Windows images for large-scale deployment, and test system quality and performance. You can download the latest version of the Windows ADK for Windows 10 from the Hardware Dev Center.
- question: |
Can I upgrade computers from Windows 7 or Windows 8.1 without deploying a new image?
answer: |
Computers running Windows 7 or Windows 8.1 can be upgraded directly to Windows 10 through the in-place upgrade process without a need to reimage the device using MDT and/or Configuration Manager. For more information, see [Upgrade to Windows 10 with Microsoft Configuration Manager](../deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md) or [Upgrade to Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md).
- question: |
Can I upgrade from Windows 7 Enterprise or Windows 8.1 Enterprise to Windows 10 Enterprise for free?
answer: |
If you have Windows 7 Enterprise or Windows 8.1 Enterprise and current Windows 10 Enterprise E3 or E5 subscription, you're entitled to the upgrade to Windows 10 Enterprise through the rights of Software Assurance. You can find your product keys and installation media at the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
For devices that are licensed under a volume license agreement for Windows that doesn't include Software Assurance, new licenses will be required to upgrade these devices to Windows 10.
- name: Managing updates
questions:
- question: |
What is Windows as a service?
answer: |
The Windows 10 operating system introduces a new way to build, deploy, and service Windows: Windows as a service. Microsoft has reimagined each part of the process, to simplify the lives of IT pros and maintain a consistent Windows 10 experience for its customers. These improvements focus on maximizing customer involvement in Windows development, simplifying the deployment and servicing of Windows client computers, and leveling out the resources needed to deploy and maintain Windows over time. For more information, see [Overview of Windows as a service](../update/waas-overview.md).
- question: |
How is servicing different with Windows as a service?
answer: |
Traditional Windows servicing has included several release types: major revisions (for example, Windows 8.1, Windows 8, and Windows 7 operating systems), service packs, and monthly updates. With Windows 10, there are two release types: feature updates that add new functionality two to three times per year, and quality updates that provide security and reliability fixes at least once a month.
- question: |
What are the servicing channels?
answer: |
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
To align with the new method of delivering feature updates and quality updates in Windows 10, Microsoft introduced the concept of servicing channels to allow customers to designate how aggressively their individual devices are updated. For example, an organization may have test devices that the IT department can update with new features as soon as possible, and then specialized devices that require a longer feature update cycle to ensure continuity. With that in mind, Microsoft offers two servicing channels for Windows 10: General Availability Channel, and Long-Term Servicing Channel (LTSC). For details about the versions in each servicing channel, see [Windows 10 release information](/windows/release-health/release-information). For more information on each channel, see [servicing channels](../update/waas-overview.md#servicing-channels).
- question: |
What tools can I use to manage Windows as a service updates?
answer: |
@ -116,25 +116,25 @@ sections:
- Windows Update for Business
- Windows Server Update Services
- Microsoft Configuration Manager
For more information, see [Servicing Tools](../update/waas-overview.md#servicing-tools).
- name: User experience
questions:
- question: |
Where can I find information about new features and changes in Windows 10 Enterprise?
answer: |
For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library.
Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10.
To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare).
- question: |
How will people in my organization adjust to using Windows 10 Enterprise after upgrading from Windows 7 or Windows 8.1?
answer: |
Windows 10 combines the best aspects of the user experience from Windows 8.1 and Windows 7 to make using Windows simple and straightforward. Users of Windows 7 will find the Start menu in the same location as they always have. In the same place, users of Windows 8.1 will find the live tiles from their Start screen, accessible by the Start button in the same way as they were accessed in Windows 8.1.
- question: |
How does Windows 10 help people work with applications and data across various devices?
answer: |
@ -143,13 +143,13 @@ sections:
- Universal apps now open in windows instead of full screen.
- [Multitasking is improved with adjustable Snap](https://blogs.windows.com/windows-insider/2015/06/04/arrange-your-windows-in-a-snap/), which allows you to have more than two windows side-by-side on the same screen and to customize how those windows are arranged.
- Tablet Mode to simplify using Windows with a finger or pen by using touch input.
- name: Help and support
questions:
- question: |
Where can I ask a question about Windows 10?
answer: |
Use the following resources for additional information about Windows 10.
- If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet.
- If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum).
- If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev).
- [Microsoft Q&A](/answers/)
- [Microsoft Support Community](https://answers.microsoft.com/)

35
windows/deployment/update/waas-configure-wufb.md
View File

@ -10,7 +10,7 @@ ms.topic: conceptual
ms.subservice: itpro-updates
ms.collection:
- tier1
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/windows-server-release-info target=_blank>Windows Server 2022</a>
@ -21,12 +21,12 @@ ms.date: 02/14/2024
# Configure Windows Update for Business
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> [!NOTE]
> Windows Server _doesn't_ get feature updates from Windows Update, so only the quality update policies apply. This behavior doesn't apply to [Azure Stack hyperconverged infrastructure (HCI)](/azure-stack/hci/).
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this article provide the Group Policy and MDM policies for Windows 10, version 1511 and later, including Windows 11. The MDM policies use the OMA-URI setting from the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
> [!IMPORTANT]
> Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
@ -34,17 +34,17 @@ You can use Group Policy or your mobile device management (MDM) service to confi
## Start by grouping devices
By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
By grouping devices with similar deferral periods, administrators are able to cluster devices into deployment or validation groups, which can be as a quality control measure as updates are deployed. With deferral windows and the ability to pause updates, administrators can effectively control and measure update deployments, updating a small pool of devices first to verify quality, prior to a broader roll-out to their organization.
>[!TIP]
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsofts design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
>In addition to setting up multiple rings for your update deployments, also incorporate devices enrolled in the Windows Insider Program as part of your deployment strategy. This will provide you the chance to not only evaluate new features before they are broadly available to the public, but it also increases the lead time to provide feedback and influence Microsoft's design on functional aspects of the product. For more information on Windows Insider program, see [https://insider.windows.com/](https://insider.windows.com/).
<span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
## Configure devices for the appropriate service channel
With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels).
With Windows Update for Business, you can set a device to be on either Windows Insider Preview or the General Availability Channel servicing branch. For more information on this servicing model, see [Servicing channels](waas-overview.md#servicing-channels).
**Release branch policies**
@ -65,7 +65,7 @@ Starting with Windows 10, version 1703, users can configure the branch readiness
## Configure when devices receive feature updates
After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
After you configure the servicing branch (Windows Insider Preview or General Availability Channel), you can then define if, and for how long, you would like to defer receiving feature updates following their availability from Microsoft on Windows Update. You can defer receiving these feature updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.
For example, a device on the General Availability Channel with `DeferFeatureUpdatesPeriodinDays=30` won't install a feature update that is first publicly available on Windows Update in September until 30 days later, in October.
@ -87,7 +87,7 @@ For example, a device on the General Availability Channel with `DeferFeatureUpda
You can also pause a device from receiving feature updates by a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable feature updates. Following this scan, you can then pause feature updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
@ -104,7 +104,7 @@ In cases where the pause policy is first applied after the configured start date
| MDM for Windows 10, version 1607 or later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**PauseFeatureUpdates** | **1607:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdates</br> **1703 and later:** \Microsoft\PolicyManager\default\Update\PauseFeatureUpdatesStartTime |
| MDM for Windows 10, version 1511: </br>../Vendor/MSFT/Policy/Config/Update/</br>**DeferUpgrade** | \Microsoft\PolicyManager\default\Update\Pause |
You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
You can check the date that feature updates were paused by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) won't reflect whether the feature update pause period has expired. Although the device will resume feature updates after 35 days automatically, the pause check box will remain selected in the policy editor. To check whether a device has automatically resumed taking feature updates, check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings** for the following values:
@ -125,7 +125,7 @@ Starting with Windows 10, version 1703, using Settings to control the pause beha
## Configure when devices receive quality updates
Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
Quality updates are typically published on the second Tuesday of every month, although they can be released at any time. You can define if, and for how long, you would like to defer receiving quality updates following their availability. You can defer receiving these quality updates for a period of up to 30 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
You can set your system to receive updates for other Microsoft products—known as Microsoft updates (such as Microsoft Office, Visual Studio)—along with Windows updates by setting the **AllowMUUpdateService** policy. When you do this, these Microsoft updates will follow the same deferral and pause rules as all other quality updates. For a list of other Microsoft products that might be updated, see [Update other Microsoft products](update-other-microsoft-products.md).
@ -145,7 +145,7 @@ You can set your system to receive updates for other Microsoft products—known
You can also pause a system from receiving quality updates for a period of up to 35 days from when the value is set. After 35 days have passed, the pause setting will automatically expire and the device will scan Windows Update for applicable quality updates. Following this scan, you can then pause quality updates for the device again.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
Starting with Windows 10, version 1703, when you configure a pause by using policy, you must set a start date for the pause to begin. The pause period is calculated by adding 35 days to this start date.
In cases where the pause policy is first applied after the configured start date has passed, you can extend the pause period up to a total of 35 days by configuring a later start date.
@ -210,10 +210,10 @@ Starting with Windows 10, version 1607, you can selectively opt out of receiving
| MDM for Windows 10, version 1607 and later: </br>../Vendor/MSFT/Policy/Config/Update/</br>**ExcludeWUDriversInQualityUpdate** | \Microsoft\PolicyManager\default\Update\ExcludeWUDriversInQualityUpdate |
## Enable optional updates
<!--7991583-->
<!--7991583-->
In addition to the monthly cumulative update, optional updates are available to provide new features and nonsecurity changes. Most optional updates are released on the fourth Tuesday of the month, known as optional nonsecurity preview releases. Optional updates can also include features that are gradually rolled out, known as controlled feature rollouts (CFRs). Installation of optional updates isn't enabled by default for devices that receive updates using Windows Update for Business. However, you can enable optional updates for devices by using the **Enable optional updates** policy.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
To keep the timing of updates consistent, the **Enable optional updates** policy respects the [deferral period for quality updates](#configure-when-devices-receive-quality-updates). This policy allows you to choose if devices should receive CFRs in addition to the optional nonsecurity preview releases, or if the end-user can make the decision to install optional updates. This policy can change the behavior of the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**.
:::image type="content" source="media/7991583-update-seeker-enabled.png" alt-text="Screenshot of the Get the latest updates as soon as they're available option in the Windows updates page of Settings." lightbox="media/7991583-update-seeker-enabled.png":::
@ -230,7 +230,7 @@ The following options are available for the policy:
- **Users can select which optional updates to receive**:
- Users can select which optional updates to install from **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Optional updates**.
- Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
- Optional updates are offered to the device, but user interaction is required to install them unless the **Get the latest updates as soon as they're available** option is also enabled.
- CFRs are offered to the device, but not necessarily in the early phases of the rollout.
- Users can enable the **Get the latest updates as soon as they're available** option in **Settings** > **Update & security** > ***Windows Update** > **Advanced options**. If the user enables the **Get the latest updates as soon as they're available**, then:
- The device will receive CFRs in early phases of the rollout.
@ -249,7 +249,7 @@ The following options are available for the policy:
## Enable features that are behind temporary enterprise feature control
<!--6544872-->
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
New features and enhancements are introduced through the monthly cumulative update to provide continuous innovation for Windows 11. To give organizations time to plan and prepare, some of these new features are temporarily turned off by default. Features that are turned off by default are listed in the KB article for the monthly cumulative update. Typically, a feature is selected to be off by default because it either impacts the user experience or IT administrators significantly.
The features that are behind temporary enterprise feature control will be enabled in the next annual feature update. Organizations can choose to deploy feature updates at their own pace, to delay these features until they're ready for them. For a list of features that are turned off by default, see [Windows 11 features behind temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control).
@ -274,7 +274,7 @@ The following are quick-reference tables of the supported policy values for Wind
| BranchReadinessLevel | REG_DWORD | 2: Systems take feature updates for the Windows Insider build - Fast </br> 4: Systems take feature updates for the Windows Insider build - Slow </br> 8: Systems take feature updates for the Release Windows Insider build </br></br> Other value or absent: Receive all applicable updates |
| DeferFeatureUpdates | REG_DWORD | 1: Defer feature updates</br>Other value or absent: Don't defer feature updates |
| DeferFeatureUpdatesPeriodinDays | REG_DWORD | 0-365: Defer feature updates by given days |
| DeferQualityUpdates | REG_DWORD | 1: Defer quality updates</br>Other value or absent: Don't defer quality updates |
| DeferQualityUpdates | REG_DWORD | 1: Defer quality updates</br>Other value or absent: Don't defer quality updates |
| DeferQualityUpdatesPeriodinDays | REG_DWORD | 0-35: Defer quality updates by given days |
| ExcludeWUDriversInQualityUpdate | REG_DWORD | 1: Exclude Windows Update drivers</br>Other value or absent: Offer Windows Update drivers |
| PauseFeatureUpdatesStartTime | REG_DWORD |1: Pause feature updates</br>Other value or absent: Don't pause feature updates |
@ -310,4 +310,3 @@ When a device running a newer version sees an update available on Windows Update
| PauseFeatureUpdates | PauseFeatureUpdatesStartTime |
| PauseQualityUpdates | PauseQualityUpdatesStartTime |

16
windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
View File

@ -8,30 +8,30 @@ author: mestew
ms.author: mstewart
manager: aaroncz
ms.localizationpriority: medium
appliesto:
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
ms.date: 12/31/2017
---
# Prepare a servicing strategy for Windows client updates
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Here's an example of what this process might look like:
- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they're available to the General Availability Channel. Typically, this population would be a few test devices that IT staff members use to evaluate prerelease builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program for Business.
- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Identify excluded devices.** For some organizations, special-purpose devices, like devices that control factory or medical equipment or run ATMs, require a stricter, less frequent feature update cycle than the General Availability Channel can offer. For those devices, install the Enterprise LTSC edition to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly.
- **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you're looking for feedback rather than people to just "try it out" and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible.
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/previous-versions/dotnet/articles/bb530196(v=msdn.10)) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain needs to download an .admx package and copy it to their [Central Store](/troubleshoot/windows-server/group-policy/create-central-store-domain-controller) (or to the [PolicyDefinitions](/troubleshoot/windows-server/group-policy/manage-group-policy-adm-file) directory in the SYSVOL folder of a domain controller if not using a Central Store). You can manage new group policies from the latest release of Windows by using Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for "ADMX download for Windows build xxxx". For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store)
- **Choose a servicing tool.** Decide which product you'll use to manage the Windows updates in your environment. If you're currently using Windows Server Update Services (WSUS) or Microsoft Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 or Windows 11 updates. Alternatively, you can use Windows Update for Business. In addition to which product you'll use, consider how you'll deliver the updates. Multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview).
- **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those apps that are the most business critical. Because the expectation is that application compatibility with new versions of Windows will be high, only the most business-critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](/mem/configmgr/desktop-analytics/overview).
Each time Microsoft releases a feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful:
1. **Validate compatibility of business critical apps.** Test your most important business-critical applications for compatibility with the new Windows 10 feature update running on your Windows Insider machines identified in the earlier "Configure test devices" step of the previous section. The list of applications involved in this validation process should be small because most applications can be tested during the pilot phase.
2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
2. **Target and react to feedback.** Microsoft expects application and device compatibility to be high, but it's still important to have targeted groups within both the IT department and business units to verify application compatibility for the remaining applications in your application portfolio. Because only the most business-critical applications are tested beforehand, this activity represents most of the application compatibility testing in your environment. It shouldn't necessarily be a formal process but rather user validation by using a particular application. So, the next step is to deploy the feature update to early-adopting IT users and your targeted groups running in the General Availability Channel that you identified in the "Recruit volunteers" step of the previous section. Be sure to communicate clearly that you're looking for feedback as soon as possible, and state exactly how users can submit feedback to you. Should an issue arise, have a remediation plan to address it.
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don't prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.

4
windows/deployment/usmt/usmt-best-practices.md
View File

@ -46,7 +46,7 @@ This article discusses general and security-related best practices when using Us
- **Chkdsk.exe.**
Microsoft recommends running **Chkdsk.exe** before running the **ScanState** and **LoadState** tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/previous-versions/windows/it-pro/windows-xp/bb490876(v=technet.10)).
Microsoft recommends running **Chkdsk.exe** before running the **ScanState** and **LoadState** tools. **Chkdsk.exe** creates a status report for a hard disk drive and lists and corrects common errors. For more information about the **Chkdsk.exe** tool, see [Chkdsk](/windows-server/administration/windows-commands/chkdsk).
- **Migrate in groups.**
@ -112,7 +112,7 @@ As the authorized administrator, it's the responsibility to protect the privacy
The migration performance can be affected when the **\<context\>** element is used with the **\<component\>** element. For example, when encapsulating logical units of file- or path-based **\<include\>** and **\<exclude\>** rules.
In the **User** context, a rule is processed one time for each user on the system.
In the **System** context, a rule is processed one time for the system.
In the **UserAndSystem** context, a rule is processed one time for each user on the system and one time for the system.

2
windows/deployment/volume-activation/monitor-activation-client.md
View File

@ -34,7 +34,7 @@ You can monitor the success of the activation process for a computer running Win
- Using the Volume Licensing Service Center website to track use of MAK keys.
- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options](/previous-versions//ff793433(v=technet.10)).
- Using the `Slmgr /dlv` command on a client computer or on the KMS host. For a full list of options, see [Slmgr.vbs options for obtaining volume activation information](/windows-server/get-started/activation-slmgr-vbs-options).
- Viewing the licensing status, which is exposed through Windows Management Instrumentation (WMI); therefore, it's available to non-Microsoft or custom tools that can access WMI. (Windows PowerShell can also access WMI information.)

3
windows/deployment/volume-activation/plan-for-volume-activation-client.md
View File

@ -62,7 +62,8 @@ Volume licensing offers customized programs that are tailored to the size and pu
- Purchase a fully packaged retail product
The licenses that are provided through volume licensing programs such as Open License, Select License, and Enterprise Agreements cover upgrades to Windows client operating systems only. An existing retail or OEM operating system license is needed for each computer running Windows 10, Windows 8.1 Pro, Windows 8 Pro, Windows 7 Professional or Ultimate, or Windows XP Professional before the upgrade rights obtained through volume licensing can be exercised.
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and MSDN. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
Volume licensing is also available through certain subscription or membership programs, such as the Microsoft Partner Network and Visual Studio Online. These volume licenses may contain specific restrictions or other changes to the general terms applicable to volume licensing.
> [!NOTE]
> Some editions of the operating system, such as Windows 10 Enterprise, and some editions of application software are available only through volume licensing agreements or subscriptions.

4
windows/deployment/volume-activation/volume-activation-windows-10.md
View File

@ -37,7 +37,7 @@ ms.subservice: itpro-fundamentals
This guide is designed to help organizations that are planning to use volume activation to deploy and activate Windows 10, including organizations that have used volume activation for earlier versions of Windows.
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [MSDN Subscriptions](https://visualstudio.microsoft.com/msdn-platforms/).
*Volume activation* is the process that Microsoft volume licensing customers use to automate and manage the activation of Windows operating systems, Microsoft Office, and other Microsoft products across large organizations. Volume licensing is available to customers who purchase software under various volume programs (such as [Open](https://www.microsoft.com/Licensing/licensing-programs/open-license) and [Select](https://www.microsoft.com/Licensing/licensing-programs/select)) and to participants in programs such as the [Microsoft Partner Program](https://partner.microsoft.com/) and [Visual Studio Online](https://visualstudio.microsoft.com/msdn-platforms/).
Volume activation is a configurable solution that helps automate and manage the product activation process on computers running Windows operating systems that have been licensed under a volume licensing program. Volume activation is also used with other software from Microsoft (most notably the Office suites) that are sold under volume licensing agreements and that support volume activation.
@ -47,7 +47,7 @@ Because most organizations won't immediately switch all computers to Windows 10,
Volume activation -and the need for activation itself- isn't new, and this guide doesn't review all of its concepts and history. You can find additional background in the appendices of this guide. For more information, see [Volume Activation Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831612(v=ws.11)).
If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide for Windows 7](/previous-versions/tn-archive/dd878528(v=technet.10)).
If you would like additional information about planning a volume activation deployment specifically for Windows 7 and Windows Server 2008 R2, see the [Volume Activation Planning Guide](/previous-versions/tn-archive/dd878528(v=technet.10)).
To successfully plan and implement a volume activation strategy, you must:

16
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -157,7 +157,7 @@ The procedures in this guide are summarized in the following table. An estimate
You can also verify WMI using the WMI console by typing **wmimgmt.msc**, right-clicking **WMI Control (Local)** in the console tree, and then clicking **Properties**.
If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [WMIDiag](https://blogs.technet.microsoft.com/askperf/2015/05/12/wmidiag-2-2-is-here/) for troubleshooting information.
If the WMI service isn't started, attempt to start it or reboot the computer. If WMI is running but errors are present, see [winmgmt](/windows/win32/wmisdk/winmgmt) for troubleshooting information.
5. To extend the Active Directory schema, enter the following command at an elevated Windows PowerShell prompt:
@ -230,15 +230,9 @@ The procedures in this guide are summarized in the following table. An estimate
## Download MDOP and install DaRT
> [!IMPORTANT]
> This step requires an MSDN subscription or volume licence agreement. For more information, see [Ready for Windows 10: MDOP 2015 and more tools are now available](https://blogs.technet.microsoft.com/windowsitpro/2015/08/17/ready-for-windows-10-mdop-2015-and-more-tools-are-now-available/).
<!--
> This step requires a Visual Studio subscription or volume license agreement. For more information, see [MDOP information experience](/microsoft-desktop-optimization-pack/).
THE LINK REFERENCED IN THE BELOW URL IS DEAD SO COMMENTING OUT
> If your organization qualifies and does not already have an MSDN subscription, you can obtain a [free MSDN subscription with BizSpark](/archive/blogs/zainnab/bizspark-free-msdn-subscription-for-start-up-companies/).
-->
1. Download the [Microsoft Desktop Optimization Pack 2015](https://msdn.microsoft.com/subscriptions/downloads/#ProductFamilyId=597) to the Hyper-V host using an MSDN subscription. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
1. Download the Microsoft Desktop Optimization Pack 2015 to the Hyper-V host from Visual Studio Online or from the [Microsoft Volume Licensing website (MVLS)](https://go.microsoft.com/fwlink/p/?LinkId=166331) site. Download the .ISO file (mu_microsoft_desktop_optimization_pack_2015_x86_x64_dvd_5975282.iso, 2.79 GB) to the C:\VHD directory on the Hyper-V host.
2. Enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host to mount the MDOP file on SRV1:
@ -780,7 +774,7 @@ If you've already completed steps in [Deploy Windows 10 in a test lab using Micr
[Settings]
Priority=Default
Properties=OSDMigrateConfigFiles,OSDMigrateMode
[Default]
DoCapture=NO
ComputerBackupLocation=NONE
@ -1092,7 +1086,7 @@ Set-VMNetworkAdapter -VMName PC4 -StaticMacAddress 00-15-5D-83-26-FF
- Select Resources > Value: Select the computername associated with the PC1 VM (GREGLIN-PC1 in this example).
- Select **Next** twice and then select **Close** in both windows.
3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed.
3. Select **Device Collections** and then double-click **USMT Backup (Replace)**. Verify that the computer name/hostname associated with PC1 is displayed in the collection. Don't proceed until this name is displayed.
### Create a new deployment

2
windows/deployment/windows-10-poc.md
View File

@ -118,8 +118,6 @@ The two Windows Server VMs can be combined into a single VM to conserve RAM and
### Verify support and install Hyper-V
Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
```cmd

50
windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
View File

@ -1,7 +1,7 @@
---
title: Device registration overview
description: This article provides an overview on how to register devices in Autopatch
ms.date: 07/25/2023
description: This article provides an overview on how to register devices in Autopatch.
ms.date: 02/15/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: conceptual
@ -19,13 +19,13 @@ ms.collection:
Windows Autopatch must [register your existing devices](windows-autopatch-register-devices.md) into its service to manage update deployments on your behalf.
The Windows Autopatch device registration process is transparent for end-users because it doesnt require devices to be reset.
The Windows Autopatch device registration process is transparent for end-users because it doesn't require devices to be reset.
The overall device registration process is as follows:
:::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png":::
1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch.
1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) before registering devices with Windows Autopatch.
2. IT admin identifies devices to be managed by Windows Autopatch through either adding device-based Microsoft Entra groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md).
3. Windows Autopatch then:
1. Performs device readiness prior registration (prerequisite checks).
@ -47,12 +47,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
| ----- | ----- |
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Microsoft Entra ID assigned or dynamic groups into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group when using adding existing device-based Microsoft Entra groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group</li></ul> |
| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.<ol><li>Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.</li></ol> |
| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**Serial number, model, and manufacturer.**</li><ol><li>Checks if the serial number already exists in the Windows Autopatchs managed device database.</li></ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasnt enrolled into Intune.</li><li>A common reason is when the Microsoft Entra device ID is stale, it doesnt have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isnt enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenants existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenants existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesnt automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). Its important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesnt automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). Its important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Microsoft Entra ID assigned group or from Microsoft Entra groups used with Autopatch groups in **step #2**. The Microsoft Entra device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Microsoft Entra ID when registering devices into its service.<ol><li>Once devices are discovered from the Microsoft Entra group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Microsoft Entra ID in this step:</li><ol><li>**AzureADDeviceID**</li><li>**OperatingSystem**</li><li>**DisplayName (Device name)**</li><li>**AccountEnabled**</li><li>**RegistrationDateTime**</li><li>**ApproximateLastSignInDateTime**</li></ol><li>In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements before registration.</li></ol> |
| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:<ol><li>**If the device is Intune-managed or not.**</li><ol><li>Windows Autopatch looks to see **if the Microsoft Entra device ID has an Intune device ID associated with it**.</li><ol><li>If **yes**, it means this device is enrolled into Intune.</li><li>If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.</li></ol><li>**If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Microsoft Entra device attributes gathered and saved to its memory in **step 3a**.</li><ol><li>Once it has the device attributes gathered from Microsoft Entra ID in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn't enrolled into Intune.</li><li>A common reason is when the Microsoft Entra device ID is stale, it doesn't have an Intune device ID associated with it anymore. To remediate, [clean up any stale Microsoft Entra device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).</li></ol><li>**If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.</li></ol><li>**If the device is a Windows device or not.**</li><ol><li>Windows Autopatch looks to see if the device is a Windows and corporate-owned device.</li><ol><li>**If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.</li><li>**If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.</li></ol></ol><li>**Windows Autopatch checks the Windows SKU family**. The SKU must be either:</li><ol><li>**Enterprise**</li><li>**Pro**</li><li>**Pro Workstation**</li></ol><li>**If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:</li><ol><li>**Only managed by Intune.**</li><ol><li>If the device is only managed by Intune, the device is marked as Passed all prerequisites.</li></ol><li>**Co-managed by both Configuration Manager and Intune.**</li><ol><li>If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:</li><ol><li>**Windows Updates Policies**</li><li>**Device Configuration**</li><li>**Office Click to Run**</li></ol><li>If Windows Autopatch determines that one of these workloads isn't enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.</li></ol></ol></ol>|
| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:<ol><li>If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.</li><li>If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.</li></ol> |
| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Microsoft Entra groups:<ol><li>**Modern Workplace Devices-Windows Autopatch-First**</li><ol><li>The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra group (**Modern Workplace Devices-Windows Autopatch-Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ol><li>**Modern Workplace Devices-Windows Autopatch-Fast**</li><li>**Modern Workplace Devices-Windows Autopatch-Broad**</li>Then the second deployment ring set, the software updates-based deployment ring set represented by the following Microsoft Entra groups:<ul><li>**Windows Autopatch - Ring1**<ul><li>The Windows Autopatch device registration process doesn't automatically assign devices to the Test ring represented by the Microsoft Entra groups (**Windows Autopatch - Test**). It's important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.</li></ul><li>**Windows Autopatch - Ring2**</li>**Windows Autopatch - Ring3**</li></li></ol> |
| **Step 7: Assign devices to a Microsoft Entra group** | Windows Autopatch also assigns devices to the following Microsoft Entra groups when certain conditions apply:<ol><li>**Modern Workplace Devices - All**</li><ol><li>This group has all devices managed by Windows Autopatch.</li></ol><li>**Modern Workplace Devices - Virtual Machine**</li><ol><li>This group has all **virtual devices** managed by Windows Autopatch.</li></ol> |
| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extensions allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
| **Step 8: Post-device registration** | In post-device registration, three actions occur:<ol><li>Windows Autopatch adds devices to its managed database.</li><li>Flags devices as **Active** in the **Registered** tab.</li><li>The Microsoft Entra device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension's allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.</li><ol><li>The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.</li></ol> |
| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Registered** and **Not registered** tabs.<ol><li>If the device was **successfully registered**, the device shows up in the **Registered** tab.</li><li>If **not**, the device shows up in the **Not registered** tab.</li></ol> |
| **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. |
@ -86,7 +86,7 @@ The five Microsoft Entra ID assigned groups that are used to organize devices fo
| Windows Autopatch - Ring1 | First production deployment ring for early adopters. |
| Windows Autopatch - Ring2 | Fast deployment ring for quick rollout and adoption. |
| Windows Autopatch - Ring3 | Final deployment ring for broad rollout into the organization. |
| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after its well tested with early and general populations in an organization. |
| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after it's well tested with early and general populations in an organization. |
In the software-based deployment ring set, each deployment ring has a different set of update deployment policies to control the updates rollout.
@ -94,7 +94,7 @@ In the software-based deployment ring set, each deployment ring has a different
> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see[Moving devices in between deployment rings](#moving-devices-in-between-deployment-rings).
> [!IMPORTANT]
> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch Test and Windows Autopatch Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch - Test and Windows Autopatch - Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments.
During the device registration process, Windows Autopatch assigns each device to a [service-based and software-update based deployment ring](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings) so that the service has the proper representation of device diversity across your organization.
@ -107,15 +107,15 @@ The deployment ring distribution is designed to release software update deployme
The Windows Autopatch deployment ring calculation occurs during thedevice registration processand it applies to both the [service-based and the software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings):
- If the Windows Autopatch tenants existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**.
- If the Windows Autopatch tenants existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**.
- If the Windows Autopatch tenant's existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**.
- If the Windows Autopatch tenant's existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**.
> [!NOTE]
> You can customize the deployment ring calculation logic by editing the Default Autopatch group.
| Service-based deployment ring | Default Autopatch group deployment ring | Default device balancing percentage | Description |
| ----- | ----- | ----- | ----- |
| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0500** devices: minimum **one** device.</li><li>**5005000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:<br><ul><li>**0-500** devices: minimum **one** device.</li><li>**500-5000** devices: minimum **five** devices.</li><li>**5000+** devices: minimum **50** devices.</li></ul>Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. |
| First | Ring 1 | **1%** | The First ring is the first group of production users to receive a change.<p><p>This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.<p><p>Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.|
| Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.<p><p>The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.</p> |
| Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.|
@ -123,17 +123,17 @@ The Windows Autopatch deployment ring calculation occurs during thedevice reg
## Software update-based to service-based deployment ring mapping
Theres a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that dont yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge.
There's a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don't yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge.
| If moving a device to | The device also moves to |
| ----- | ----- |
| Windows Autopatch Test | Modern Workplace Devices-Windows Autopatch-Test |
| Windows Autopatch Ring1 | Modern Workplace Devices-Windows Autopatch-First |
| Windows Autopatch Ring2 | Modern Workplace Devices-Windows Autopatch-Fast |
| Windows Autopatch Ring3 | Modern Workplace Devices-Windows Autopatch-Broad |
| Windows Autopatch Last | Modern Workplace Devices-Windows Autopatch-Broad |
| Windows Autopatch - Test | Modern Workplace Devices-Windows Autopatch-Test |
| Windows Autopatch - Ring1 | Modern Workplace Devices-Windows Autopatch-First |
| Windows Autopatch - Ring2 | Modern Workplace Devices-Windows Autopatch-Fast |
| Windows Autopatch - Ring3 | Modern Workplace Devices-Windows Autopatch-Broad |
| Windows Autopatch - Last | Modern Workplace Devices-Windows Autopatch-Broad |
If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, `<Autopatch group name Ring4, Ring5, Ring6, etc.>`. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**.
If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, `<Autopatch group name - Ring4, Ring5, Ring6, etc.>`. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**.
## Moving devices in between deployment rings
@ -162,7 +162,7 @@ If you don't see theRing assigned by columnchange to**Pending**in St
## Automated deployment ring remediation functions
Windows Autopatch monitors device membership in its deployment rings, except for the**Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch Test** and **Windows Autopatch Last**rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
Windows Autopatch monitors device membership in its deployment rings, except for the**Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last**rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either:
- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or
- An issue occurred which prevented devices from getting a deployment ring assigned during thedevice registration process.
@ -171,8 +171,8 @@ There are two automated deployment ring remediation functions:
| Function | Description |
| ----- | ----- |
| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the**Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch Test and Windows Autopatch Last**rings). |
| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the**Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch Test** and **Windows Autopatch Last**rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. |
| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the**Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test and Windows Autopatch - Last**rings). |
| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the**Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch - Test** and **Windows Autopatch - Last**rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. |
> [!IMPORTANT]
> Windows Autopatch automated deployment ring functions dont assign or remove devices to or from the following deployment rings:<li>**Modern Workplace Devices-Windows Autopatch-Test**</li><li>**Windows Autopatch Test**</li><li>**Windows Autopatch Last**</li></ul>
> Windows Autopatch automated deployment ring functions don't assign or remove devices to or from the following deployment rings:<li>**Modern Workplace Devices-Windows Autopatch-Test**</li><li>**Windows Autopatch - Test**</li><li>**Windows Autopatch - Last**</li></ul>

46
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md
View File

@ -23,7 +23,7 @@ Autopatch groups is a logical container or unit that groups several [Microsoft E
## Autopatch groups prerequisites
Before you start managing Autopatch groups, ensure youve met the following prerequisites:
Before you start managing Autopatch groups, ensure you've met the following prerequisites:
- Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization.
- Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant:
@ -32,23 +32,23 @@ Before you start managing Autopatch groups, ensure youve met the following pr
- Modern Workplace Update Policy [Fast]-[Windows Autopatch]
- Modern Workplace Update Policy [Broad]-[Windows Autopatch]
- Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant:
- Windows Autopatch DSS Policy [Test]
- Windows Autopatch DSS Policy [First]
- Windows Autopatch DSS Policy [Fast]
- Windows Autopatch DSS Policy [Broad]
- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Dont** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service wont be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
- Windows Autopatch - DSS Policy [Test]
- Windows Autopatch - DSS Policy [First]
- Windows Autopatch - DSS Policy [Fast]
- Windows Autopatch - DSS Policy [Broad]
- Ensure the following Microsoft Entra ID assigned groups are in your tenant before using Autopatch groups. **Don't** modify the Microsoft Entra group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly.
- Modern Workplace Devices-Windows Autopatch-Test
- Modern Workplace Devices-Windows Autopatch-First
- Modern Workplace Devices-Windows Autopatch-Fast
- Modern Workplace Devices-Windows Autopatch-Broad
- Windows Autopatch Test
- Windows Autopatch Ring1
- Windows Autopatch Ring2
- Windows Autopatch Ring3
- Windows Autopatch Last
- Windows Autopatch - Test
- Windows Autopatch - Ring1
- Windows Autopatch - Ring2
- Windows Autopatch - Ring3
- Windows Autopatch - Last
- Additionally, **don't** modify the Microsoft Entra group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** enterprise application as the owner of these groups.
- For more information, see [assign an owner or member of a group in Microsoft Entra ID](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Microsoft Entra groups.
- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality wont work properly. Autopatch uses app-only auth to:
- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won't work properly. Autopatch uses app-only auth to:
- Read device attributes to successfully register devices.
- Manage all configurations related to the operation of the service.
- Make sure that all device-based Microsoft Entra groups you intend to use with Autopatch groups are created prior to using the feature.
@ -86,7 +86,7 @@ Before you start managing Autopatch groups, ensure youve met the following pr
1. Once the review is done, select **Create** to save your custom Autopatch group.
> [!CAUTION]
> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group thats been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom).
> [!IMPORTANT]
> Windows Autopatch creates the device-based Microsoft Entra ID assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience.
@ -94,13 +94,13 @@ Before you start managing Autopatch groups, ensure youve met the following pr
## Edit the Default or a Custom Autopatch group
> [!TIP]
> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as theres one or more on-going Windows feature update release targeted to this Autopatch group.**"
> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there's one or more on-going Windows feature update release targeted to this Autopatch group.**"
> See [Manage Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) for more information on release and phase statuses.
**To edit either the Default or a Custom Autopatch group:**
1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit.
1. You can only modify the **description** of the Default or a Custom Autopatch group. You **cant** modify the name. Once the description is modified, select **Next: Deployment rings**.
1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can't** modify the name. Once the description is modified, select **Next: Deployment rings**.
1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**.
1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**.
1. Select **Review + create** to review all changes made.
@ -111,7 +111,7 @@ Before you start managing Autopatch groups, ensure youve met the following pr
## Rename a Custom Autopatch group
You **cant** rename the Default Autopatch group. However, you can rename a Custom Autopatch group.
You **can't** rename the Default Autopatch group. However, you can rename a Custom Autopatch group.
**To rename a Custom Autopatch group:**
@ -123,7 +123,7 @@ You **cant** rename the Default Autopatch group. However, you can rename a Cu
## Delete a Custom Autopatch group
You **cant** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
You **can't** delete the Default Autopatch group. However, you can delete a Custom Autopatch group.
**To delete a Custom Autopatch group:**
@ -131,7 +131,7 @@ You **cant** delete the Default Autopatch group. However, you can delete a Cu
1. Select **Yes** to confirm you want to delete the Custom Autopatch group.
> [!CAUTION]
> You cant delete a Custom Autopatch group when its being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses.
> You can't delete a Custom Autopatch group when it's being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses.
## Manage device conflict scenarios when using Autopatch groups
@ -140,7 +140,7 @@ Overlap in device membership is a common scenario when working with device-based
Since Autopatch groups allow you to use your existing Microsoft Entra groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur.
> [!CAUTION]
> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group thats been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
> A device-based Microsoft Entra group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Microsoft Entra group that's been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom).
### Device conflict in deployment rings within an Autopatch group
@ -162,21 +162,21 @@ Device conflict across different deployment rings in different Autopatch groups
| Conflict scenario | Conflict resolution |
| ----- | ----- |
| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called “Marketing”.<p>However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.</p> | Autopatch groups automatically resolve this conflict on your behalf.<p>In this example, devices that belong to the deployment rings as part of the “Marketing” Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.</p> |
| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called "Marketing".<p>However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.</p> | Autopatch groups automatically resolve this conflict on your behalf.<p>In this example, devices that belong to the deployment rings as part of the "Marketing" Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.</p> |
#### Custom to Custom Autopatch group device conflict
| Conflict scenario | Conflict resolution |
| ----- | ----- |
| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.<p>Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. Youre required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.</p> |
| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.<p>Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You're required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.</p> |
#### Device conflict prior to device registration
When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups deployment rings, are registered with the service.
When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Microsoft Entra groups, used in Autopatch groups' deployment rings, are registered with the service.
| Conflict scenario | Conflict resolution |
| ----- | ----- |
| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. Youre required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups dont have device membership overlaps.</p> |
| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.<p>Devices will fail to register with the service and will be sent to the **Not registered** tab. You're required to make sure the Microsoft Entra groups that are used with the Custom Autopatch groups don't have device membership overlaps.</p> |
#### Device conflict post device registration

42
windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md
View File

@ -17,7 +17,7 @@ ms.collection:
# Windows Autopatch groups overview
As organizations move to a managed-service model where Microsoft manages update processes on their behalf, theyre challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they're challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups help organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions.
## What are Windows Autopatch groups?
@ -56,7 +56,7 @@ There are a few key concepts to be familiar with before using Autopatch groups.
> [!NOTE]
> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition.
The Default Autopatch group uses Windows Autopatchs default update management process recommendation. The Default Autopatch group contains:
The Default Autopatch group uses Windows Autopatch's default update management process recommendation. The Default Autopatch group contains:
- A set of **[five deployment rings](#default-deployment-ring-composition)**
- A default update deployment cadence for both [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md) and [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md).
@ -64,21 +64,21 @@ The Default Autopatch group uses Windows Autopatchs default update management
The Default Autopatch group is intended to serve organizations that are looking to:
- Enroll into the service
- Align to Windows Autopatchs default update management process without requiring more customizations.
- Align to Windows Autopatch's default update management process without requiring more customizations.
The Default Autopatch group **cant** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it.
The Default Autopatch group **can't** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it.
#### Default deployment ring composition
By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Microsoft Entra ID assigned groups, are used:
- Windows Autopatch Test
- Windows Autopatch Ring1
- Windows Autopatch Ring2
- Windows Autopatch Ring3
- Windows Autopatch Last
- Windows Autopatch - Test
- Windows Autopatch - Ring1
- Windows Autopatch - Ring2
- Windows Autopatch - Ring3
- Windows Autopatch - Last
**Windows Autopatch Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types.
**Windows Autopatch - Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch - Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types.
> [!TIP]
> For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions.
@ -86,7 +86,7 @@ By default, the following [software update-based deployment rings](#software-bas
> [!CAUTION]
> These and other Microsoft Entra ID assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly.
The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organizations general population to mitigate disruptions to your organizations critical businesses.
The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization's general population to mitigate disruptions to your organization's critical businesses.
#### Default update deployment cadences
@ -144,7 +144,7 @@ Both the **Test** and **Last** deployment rings are default deployment rings tha
If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring.
> [!IMPORTANT]
> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isnt required, consider managing these devices outside Windows Autopatch.
> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn't required, consider managing these devices outside Windows Autopatch.
> [!TIP]
> Both the **Test** and **Last** deployment rings only support one single Microsoft Entra group assignment at a time. If you need to assign more than one Microsoft Entra group, you can nest the other Microsoft Entra groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Microsoft Entra group nesting is supported.
@ -168,7 +168,7 @@ The following are the Microsoft Entra ID assigned groups that represent the serv
- Modern Workplace Devices-Windows Autopatch-Broad
> [!CAUTION]
> **Dont** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service wont be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
##### Software-based deployment rings
@ -177,16 +177,16 @@ The software-based deployment ring set is exclusively used with software update
The following are the Microsoft Entra ID assigned groups that represent the software updates-based deployment rings. These groups can't be deleted or renamed:
- Windows Autopatch - Test
- Windows Autopatch Ring1
- Windows Autopatch Ring2
- Windows Autopatch Ring3
- Windows Autopatch Last
- Windows Autopatch - Ring1
- Windows Autopatch - Ring2
- Windows Autopatch - Ring3
- Windows Autopatch - Last
> [!IMPORTANT]
> Additional Microsoft Entra ID assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group.
> [!CAUTION]
> **Dont** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service wont be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
> **Don't** modify the Microsoft Entra group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won't be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly. <p>Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Microsoft Entra group created by Autopatch groups.</p>
### About device registration
@ -203,7 +203,7 @@ The following are three common uses for using Autopatch groups.
| Scenario | Solution |
| ----- | ----- |
| Youre working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You dont have extra time to spend setting up and managing several Autopatch groups.<p>Your organization currently operates its update management by using five deployment rings, but theres an opportunity to have flexible deployment cadences if its precommunicated to your end-users.</p> | If you dont have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.<p>The Default Autopatch group is preconfigured and doesnt require extra configurations when registering devices with the Windows Autopatch service.</p><p>The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.</p> |
| You're working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don't have extra time to spend setting up and managing several Autopatch groups.<p>Your organization currently operates its update management by using five deployment rings, but there's an opportunity to have flexible deployment cadences if it's precommunicated to your end-users.</p> | If you don't have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.<p>The Default Autopatch group is preconfigured and doesn't require extra configurations when registering devices with the Windows Autopatch service.</p><p>The following is a visual representation of a gradual rollout for the Default Autopatch group preconfigured and fully managed by the Windows Autopatch service.</p> |
:::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png":::
@ -211,7 +211,7 @@ The following are three common uses for using Autopatch groups.
| Scenario | Solution |
| ----- | ----- |
| Youre working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.<p>The following is a visual representation of a gradual rollout for Contosos Finance department.</p> |
| You're working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units. For example, you can create a Custom Autopatch group for the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and then for the business.<p>The following is a visual representation of a gradual rollout for Contoso's Finance department.</p> |
:::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png":::
@ -222,7 +222,7 @@ The following are three common uses for using Autopatch groups.
| Scenario | Solution |
| ----- | ----- |
| Youre working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesnt experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.<p>The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.</p> |
| You're working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn't experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.<p>The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.</p> |
:::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png":::

20
windows/deployment/windows-autopatch/deploy/windows-autopatch-post-reg-readiness-checks.md
View File

@ -18,7 +18,7 @@ ms.collection:
# Post-device registration readiness checks (public preview)
> [!IMPORTANT]
> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a “Preview” basis. You can test and use these features in production environments and scenarios, and provide feedback.
> This feature is in "public preview". It is being actively developed, and may not be complete. They're made available on a "Preview" basis. You can test and use these features in production environments and scenarios, and provide feedback.
One of the most expensive aspects of the software update management process is to make sure devices are always healthy to receive and report software updates for each software update release cycle.
@ -41,7 +41,7 @@ Device readiness in Windows Autopatch is divided into two different scenarios:
| ----- | ----- |
| <ul><li>Windows OS (build, architecture and edition)</li></li><li>Managed by either Intune or ConfigMgr co-management</li><li>ConfigMgr co-management workloads</li><li>Last communication with Intune</li><li>Personal or non-Windows devices</li></ul> | <ul><li>Windows OS (build, architecture and edition)</li><li>Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict</li><li>Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)</li><li>Internet connectivity</li></ul> |
The status of each post-device registration readiness check is shown in the Windows Autopatchs Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service.
The status of each post-device registration readiness check is shown in the Windows Autopatch's Devices blade under the **Not ready** tab. You can take appropriate action(s) on devices that aren't ready to be fully managed by the Windows Autopatch service.
## About the three tabs in the Devices blade
@ -57,8 +57,8 @@ Windows Autopatch has three tabs within its Devices blade. Each tab is designed
| Tab | Description |
| ----- | ----- |
| Ready | This tab only lists devices with the **Active** status. Devices with the **Active** status successfully:<ul><li>Passed the prerequisite checks.</li><li>Registered with Windows Autopatch.</li></ul>This tab also lists devices that have passed all postdevice registration readiness checks. |
| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didnt pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.</li></ul> |
| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didnt pass one or more prerequisite checks during the device registration process. |
| Not ready | This tab only lists devices with the **Readiness failed** and **Inactive** status.<ul><li>**Readiness failed status**: Devices that didn't pass one or more post-device registration readiness checks.</li><li>**Inactive**: Devices that haven't communicated with the Microsoft Intune service in the last 28 days.</li></ul> |
| Not registered | Only lists devices with the **Prerequisite failed** status in it. Devices with the **Prerequisite failed** status didn't pass one or more prerequisite checks during the device registration process. |
## Details about the post-device registration readiness checks
@ -76,12 +76,12 @@ The following list of post-device registration readiness checks is performed in
| ----- | ----- |
| **Windows OS build, architecture, and edition** | Checks to see if devices support Windows 1809+ build (10.0.17763), 64-bit architecture and either Pro or Enterprise SKUs. |
| **Windows update policies managed via Microsoft Intune** | Checks to see if devices have Windows Updates policies managed via Microsoft Intune (MDM). |
| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesnt support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. |
| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesnt support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
| **Windows update policies managed via Group Policy Object (GPO)** | Checks to see if devices have Windows update policies managed via GPO. Windows Autopatch doesn't support Windows update policies managed via GPOs. Windows update must be managed via Microsoft Intune. |
| **Microsoft Office update policy managed via Group Policy Object (GPO)** | Checks to see if devices have Microsoft Office updates policies managed via GPO. Windows Autopatch doesn't support Microsoft Office update policies managed via GPOs. Office updates must be managed via Microsoft Intune or another Microsoft Office policy management method where Office update bits are downloaded directly from the Office Content Delivery Network (CDN). |
| **Windows Autopatch network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that Windows Autopatch services must be able to reach for the various aspects of the Windows Autopatch service. |
| **Microsoft Teams network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Teams must be able to reach for software updates management. |
| **Microsoft Edge network endpoints** | There's a set of [network endpoints](../prepare/windows-autopatch-configure-network.md) that devices with Microsoft Edge must be able to reach for software updates management. |
| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsofts public URLs two times each, to confirm that ping results aren't coming from the devices cache. |
| **Internet connectivity** | Checks to see if a device has internet connectivity to communicate with Microsoft cloud services. Windows Autopatch uses the PingReply class. Windows Autopatch tries to ping at least three different Microsoft's public URLs two times each, to confirm that ping results aren't coming from the device's cache. |
## Post-device registration readiness checks workflow
@ -93,8 +93,8 @@ See the following diagram for the post-device registration readiness checks work
| ----- | ----- |
| **Steps 1-7** | For more information, see the [Device registration overview diagram](windows-autopatch-device-registration-overview.md).|
| **Step 8: Perform readiness checks** |<ol><li>Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.</li><li>The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.</li></ol> |
| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatchs service.</li></ol>|
| **Step 10: Add devices to the Not ready** | When devices dont pass one or more readiness checks, even if theyre registered with Windows Autopatch, theyre added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
| **Step 9: Check readiness status** |<ol><li>The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.</li><li>The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch's service.</li></ol>|
| **Step 10: Add devices to the Not ready** | When devices don't pass one or more readiness checks, even if they're registered with Windows Autopatch, they're added to the **Not ready** tab so IT admins can remediate devices based on Windows Autopatch recommendations. |
| **Step 11: IT admin understands what the issue is and remediates** | The IT admin checks and remediates issues in the Devices blade (**Not ready** tab). It can take up to 24 hours for devices to show back up into the **Ready** tab. |
## FAQ
@ -102,7 +102,7 @@ See the following diagram for the post-device registration readiness checks work
| Question | Answer |
| ----- | ----- |
| **How frequent are the post-device registration readiness checks performed?** |<ul><li>The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).</li><li>Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.</li><li>The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.</li><li>The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).</li></ul>|
| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices dont meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.</p>|
| **What to expect when one or more checks fail?** | Devices are automatically sent to the **Ready** tab once they're successfully registered with Windows Autopatch. When devices don't meet one or more post-device registration readiness checks, the devices are moved to the **Not ready** tab. IT admins can learn about these devices and take appropriate actions to remediate them. Windows Autopatch will provide information about the failure and how to potentially remediate devices.<p>Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.</p>|
## Additional resources

10
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 07/25/2023
description: This article details how to register devices in Autopatch.
ms.date: 02/15/2024
ms.service: windows-client
ms.subservice: itpro-updates
ms.topic: how-to
@ -33,7 +33,7 @@ Windows Autopatch can take over software update management control of devices th
When you either create/edit a [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or edit the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to add or remove deployment rings, the device-based Microsoft Entra groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service.
If devices arent registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
If devices aren't registered, Autopatch groups starts the device registration process by using your existing device-based Microsoft Entra groups instead of the Windows Autopatch Device Registration group.
For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method.
@ -83,7 +83,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set
- Devices must have Serial Number, Model and Manufacturer.
> [!NOTE]
> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
> Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check.
> [!IMPORTANT]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
@ -178,7 +178,7 @@ The service supports:
- Personal persistent virtual machines
The following Azure Virtual Desktop features arent supported:
The following Azure Virtual Desktop features aren't supported:
- Multi-session hosts
- Pooled non persistent virtual machines

6
windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md
View File

@ -47,7 +47,7 @@ Windows Autopatch assigns alerts to either Microsoft Action or Customer Action.
## Alert resolutions
Alert resolutions are provided through the Windows Update service and provide the reason why an update didnt perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md).
Alert resolutions are provided through the Windows Update service and provide the reason why an update didn't perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md).
| Alert message | Description | Windows Autopatch recommendation(s) |
| ----- | ----- | ----- |
@ -85,11 +85,11 @@ Alert resolutions are provided through the Windows Update service and provide th
| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).<p>If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).</p> |
| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.<p>No action is required.</p><p>If the update is still available, retry the installation.</p> |
| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Dont** retry the installation until the impact is understood.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don't** retry the installation until the impact is understood.<p>For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).</p> |
| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.<p>For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).</p> |
| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.<p>No action is necessary the update should retry when windows is available.</p><p>If the alert persists, ensure the device remains on during Windows installation.</p> |
| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.<p>Confirm whether the device is on the intended version.</p> |
| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.<p>For more information, see [Windows boot issues troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).</p> |
| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.<p>For more information, see [Windows boot issues - troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).</p> |
| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. |
| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.</p> |
| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.<p>Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.</p><p>For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.</p> |

34
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md
View File

@ -23,7 +23,7 @@ You can create custom releases for Windows feature update deployments in Windows
Before you start managing custom Windows feature update releases, consider the following:
- If youre planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure:
- If you're planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure:
- The Default Autopatch group has all deployment rings and deployment cadences you need.
- You have created all your Custom Autopatch groups prior to creating custom releases.
- Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites).
@ -42,7 +42,7 @@ The following table explains the auto-populating assignment of your deployments
| Phase 3 | Ring2 | Ring2 |
| Phase 4 | Last | Ring3 |
If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group wont be reflected unless you create a new custom release.
If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won't be reflected unless you create a new custom release.
If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases.
@ -50,7 +50,7 @@ If you wish to change the auto-populating assignment of your deployment rings to
The goal completion date of a phase is calculated using the following formula:
`<First Deployment Date> + (<Number of gradual rollout groups> 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).`
`<First Deployment Date> + (<Number of gradual rollout groups> - 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).`
This formula is only applicable for **Deadline-driven** not for Scheduled-driven deployment cadences. For more information, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
@ -102,7 +102,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo
| Phase status | Definition |
| ----- | ----- |
| Scheduled | The phase is scheduled but hasnt reached its first deployment date yet. The Windows feature update policy hasnt been created for the respective phase yet. |
| Scheduled | The phase is scheduled but hasn't reached its first deployment date yet. The Windows feature update policy hasn't been created for the respective phase yet. |
| Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. |
| Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. |
| Paused | Phase is paused. You must resume the phase. |
@ -112,7 +112,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo
Windows Autopatch creates one Windows feature update policy per phase using the following naming convention:
`Windows Autopatch DSS policy <Release Name> Phase <Phase Number>`
`Windows Autopatch - DSS policy - <Release Name> - Phase <Phase Number>`
These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@ -120,11 +120,11 @@ The following table is an example of the Windows feature update policies that we
| Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| Windows Autopatch - DSS Policy - My feature update release Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release - Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release - Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release - Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release - Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 11, 2024 |
| Windows Autopatch - DSS Policy - My feature update release - Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 11, 2024 |
## Create a custom release
@ -142,11 +142,11 @@ The following table is an example of the Windows feature update policies that we
4. Select **Next**.
1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next.
1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments.
1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once youre ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned.
1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and cant guarantee that the release will start at the current day given the UTC variance across the globe.
1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you're ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned.
1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can't guarantee that the release will start at the current day given the UTC variance across the globe.
1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow.
2. Additionally, the formula for the goal completion date is `<First Deployment Date> + (<Number of gradual rollout groups> 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`.
1. In the **Review + create** page, review all settings. Once youre ready, select **Create**.
2. Additionally, the formula for the goal completion date is `<First Deployment Date> + (<Number of gradual rollout groups> - 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`.
1. In the **Review + create** page, review all settings. Once you're ready, select **Create**.
> [!NOTE]
> Custom releases can't be deleted from the Windows feature updates release management blade. The custom release record serves as a historical record for auditing purposes when needed.
@ -209,10 +209,10 @@ The following table is an example of the Windows feature update policies that we
## Roll back a release
> [!CAUTION]
> Do **not** use Microsoft Intunes end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
> Do **not** use Microsoft Intune's end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
Windows Autopatch **doesnt** support the rollback of Windows feature updates through its end-user experience flows.
Windows Autopatch **doesn't** support the rollback of Windows feature updates through its end-user experience flows.
## Contact support
If youre experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md).
If you're experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md).

2
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md
View File

@ -47,7 +47,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
## Windows feature updates
Youre in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devicesup to date. You can focus on running your corebusinesses while Windows Autopatch runs update management on your behalf.

32
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md
View File

@ -17,7 +17,7 @@ ms.collection:
# Windows feature updates overview
Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organizations IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization's IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
Windows feature updates consist of:
@ -28,11 +28,11 @@ Windows Autopatch makes it easier and less expensive for you to keep your Window
## Service level objective
Windows Autopatchs service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you.
Windows Autopatch's service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you.
## Device eligibility criteria
Windows Autopatchs device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intunes device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites).
Windows Autopatch's device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune's device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites).
> [!IMPORTANT]
> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC.
@ -40,7 +40,7 @@ Windows Autopatchs device eligibility criteria for Windows feature updates al
## Key benefits
- Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
- Youre in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
- You're in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version.
- Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization.
- Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed.
- No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for.
@ -59,7 +59,7 @@ Windows Autopatchs device eligibility criteria for Windows feature updates al
### Default release
Windows Autopatchs default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
Windows Autopatch's default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group).
> [!TIP]
> Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release).
@ -82,17 +82,17 @@ If your tenant is enrolled with Windows Autopatch, you can see the following def
| Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| Windows Autopatch DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch - DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch - DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch - DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 11, 2024 |
| Windows Autopatch - DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 11, 2024 |
> [!NOTE]
> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
### Global release
Windows Autopatchs global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
Windows Autopatch's global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
There are two scenarios that the Global release is used:
@ -110,7 +110,7 @@ See the following table on how Windows Autopatch configures the values for its g
| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| Windows Autopatch Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 |
| Windows Autopatch - Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 11, 2024 |
> [!NOTE]
> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually).
@ -118,7 +118,7 @@ See the following table on how Windows Autopatch configures the values for its g
### Differences between the default and global Windows feature update policies
> [!IMPORTANT]
> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch groups deployment rings behind the scenes.
> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group's deployment rings behind the scenes.
The differences in between the global and the default Windows feature update policy values are:
@ -138,7 +138,7 @@ For more information on how to create a custom release, see [Manage Windows feat
### About Windows Update rings policies
Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy <Autopatch group name> <Deployment group name>`.
Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy - <Autopatch group name> - <Deployment group name>`.
The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases:
@ -151,7 +151,7 @@ The following table details the default Windows Update rings policy values that
| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes |
> [!IMPORTANT]
> When you create a custom Windows feature update release, new Windows feature update policies are:<ul><li>Created corresponding to the settings you defined while creating the release.</li><li>Assigned to the Autopatch groups deployment rings you select to be included in the release.</li></ul>
> When you create a custom Windows feature update release, new Windows feature update policies are:<ul><li>Created corresponding to the settings you defined while creating the release.</li><li>Assigned to the Autopatch group's deployment rings you select to be included in the release.</li></ul>
## Common ways to manage releases
@ -159,7 +159,7 @@ The following table details the default Windows Update rings policy values that
| Scenario | Solution |
| ----- | ----- |
| Youre working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11s latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.<br>Phases:<ul><li>Set your organizations deployment cadence.</li><li>Work like deployment rings on top of Autopatch groups deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.</li></ul><br>See the following visual for a representation of Phases with custom releases. |
| You're working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11's latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.<br>Phases:<ul><li>Set your organization's deployment cadence.</li><li>Work like deployment rings on top of Autopatch group's deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.</li></ul><br>See the following visual for a representation of Phases with custom releases. |
:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png":::
@ -167,6 +167,6 @@ The following table details the default Windows Update rings policy values that
| Scenario | Solution |
| ----- | ----- |
| Youre working as the IT admin at Contoso Ltd. and your organization isnt ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.<p>However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.</p> | Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.<p>If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).</p><p>See the following visual for a representation of default releases.</p>|
| You're working as the IT admin at Contoso Ltd. and your organization isn't ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.<p>However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.</p> | Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.<p>If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).</p><p>See the following visual for a representation of default releases.</p>|
:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png":::

2
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md
View File

@ -39,7 +39,7 @@ The following information is available in the Summary dashboard:
| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
| Paused | Total device count reporting the status of the pause whether its Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
## Report options

6
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md
View File

@ -38,7 +38,7 @@ The Windows quality report types are organized into the following focus areas:
The Windows feature update reports monitor the health and activity of your deployments and help you understand if your devices are maintaining update compliance targets.
If update deployments arent successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue.
If update deployments aren't successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue.
The Windows feature update report types are organized into the following focus areas:
@ -82,7 +82,7 @@ Up to date devices are devices that meet all of the following prerequisites:
- Have applied the current monthly cumulative updates
> [!NOTE]
> [Up to Date devices](#up-to-date-devices) will remain with the**In Progress**status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the devices status will change to [Not up to Date](#not-up-to-date-devices).
> [Up to Date devices](#up-to-date-devices) will remain with the**In Progress**status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device's status will change to [Not up to Date](#not-up-to-date-devices).
#### Up to Date sub statuses
@ -93,7 +93,7 @@ Up to date devices are devices that meet all of the following prerequisites:
### Not up to Date devices
Not Up to Date means a device isnt up to date when the:
Not Up to Date means a device isn't up to date when the:
- Quality or feature update is out of date, or the device is on the previous update.
- Device is more than 21 days overdue from the last release.

8
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
View File

@ -27,14 +27,14 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s
| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, users can schedule restarts or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Groups deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring.To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups, you can also customize the [Default Deployment Group's deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring.To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md).
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective).
## Service level objective
Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column “% with the latest quality update” displayed in release management and reporting.
Windows Autopatch aims to keep at least 95% of [Up to Date devices](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices) on the latest quality update. Autopatch uses the previously defined release schedule on a per ring basis with a five-day reporting period to calculate and evaluate the service level objective (SLO). The result of the service level objective is the column "% with the latest quality update" displayed in release management and reporting.
### Service level objective calculation
@ -68,7 +68,7 @@ The service level objective for each of these states is calculated as:
> [!IMPORTANT]
> This feature is in **public preview**. It's being actively developed, and might not be complete.
You can import your organizations existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organizations Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organizations existing update rings.
You can import your organization's existing Intune Update rings for Windows 10 and later into Windows Autopatch. Importing your organization's Update rings provides the benefits of the Windows Autopatch's reporting and device readiness without the need to redeploy, or change your organization's existing update rings.
Imported rings automatically register all targeted devices into Windows Autopatch. For more information about device registration, see the [device registration workflow diagram](../deploy/windows-autopatch-device-registration-overview.md#detailed-device-registration-workflow-diagram).
@ -76,7 +76,7 @@ Imported rings automatically register all targeted devices into Windows Autopatc
> Devices which are registered as part of an imported ring, might take up to 72 hours after the devices have received the latest version of the policy, to be reflected in Windows Autopatch devices blade and reporting. For more information about reporting, see [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md).
> [!NOTE]
> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatchs ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md).
> Device registration failures don't affect your existing update schedule or targeting. However, devices that fail to register might affect Windows Autopatch's ability to provide reporting and insights. Any conflicts should be resolved as needed. For additional assistance, [submit a support request](../operate/windows-autopatch-support-request.md).
### Import Update rings for Windows 10 and later

2
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md
View File

@ -38,7 +38,7 @@ The following information is available in the Summary dashboard:
| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). |
| Paused | Total device count reporting the status of the pause whether its Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Paused | Total device count reporting the status of the pause whether it's Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). |
| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). |
## Report options

4
windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md
View File

@ -56,7 +56,7 @@ However, if an update has already started for a particular deployment ring, Wind
#### Scheduled install
> [!NOTE]
>If you select the Schedule install cadence type, the devices in that ring wont be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
>If you select the Schedule install cadence type, the devices in that ring won't be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective).
While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified.
@ -118,5 +118,5 @@ For more information, see [Windows Update settings you can manage with Intune up
1. Turn off all notifications included restart warnings
1. Select **Save** once you select the preferred setting.
7. Repeat the same process to customize each of the rings. Once done, select **Next**.
8. In **Review + apply**, youll be able to review the selected settings for each of the rings.
8. In **Review + apply**, you'll be able to review the selected settings for each of the rings.
9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings.

4
windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
View File

@ -58,7 +58,7 @@ The type of banner that appears depends on the severity of the action. Currently
| Action type | Severity | Description |
| ----- | ----- | ----- |
| Maintain tenant access | Critical | Required licenses have expired. The licenses include:<ul><li>Microsoft Intune</li><li>Microsoft Entra ID P1 or P2</li><li>Windows 10/11 Enterprise E3 or higher</li><ul><li>For more information about specific services plans, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li></ul><p>To take action on missing licenses, you can visit the Microsoft 365 admin center or contact your Microsoft account manager. Until you have renewed the required licenses to run the service, Windows Autopatch marks your tenant as **inactive**. For more information, see [Microsoft 365 - What happens after my subscription expires?](/microsoft-365/commerce/subscriptions/what-if-my-subscription-expires)</p> |
| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently cant manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
| Maintain tenant access | Critical | Address tenant access issues. Windows Autopatch currently can't manage your tenant. Until you take action, your tenant is marked as **inactive**, and you have only limited access to the Windows Autopatch portal.<p>Reasons for tenant access issues:<ul><li>You haven't yet migrated to the new [Windows Autopatch enterprise application](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications). Windows Autopatch uses this enterprise application to run the service.</li><li>You have blocked or removed the permissions required for the Windows Autopatch enterprise application.</li></ul><p>Take action by consenting to allow Windows Autopatch to make the appropriate changes on your behalf. You must be a Global Administrator to consent to this action. Once you provide consent, Windows Autopatch remediates this critical action for you.</p><p>For more information, see [Windows Autopatch enterprise applications](../overview/windows-autopatch-privacy.md#tenant-access).</p> |
### Inactive status
@ -76,5 +76,5 @@ To be taken out of the **inactive** status, you must [resolve any critical actio
| Impact area | Description |
| ----- | ----- |
| Management | Windows Autopatch isnt able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:<ul><li>Managing the Windows Autopatch service</li><li>Publishing the baseline configuration updates to your tenants devices</li><li>Maintaining overall service health</li></ul><p>For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).</p>|
| Management | Windows Autopatch isn't able to manage your tenant and perform non-interactive actions we use to run the service. Non-interactive actions include:<ul><li>Managing the Windows Autopatch service</li><li>Publishing the baseline configuration updates to your tenant's devices</li><li>Maintaining overall service health</li></ul><p>For more information, see [Windows Autopatch enterprise applications](../references/windows-autopatch-changes-to-tenant.md#windows-autopatch-enterprise-applications).</p>|
| Device updates | Changes to Windows Autopatch policies aren't pushed to your devices. The existing configurations on these devices remain unchanged, and they continue receiving updates. |

14
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md
View File

@ -20,7 +20,7 @@ ms.collection:
You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment.
> [!TIP]
> Windows Autopatch's driver and firmware update management is based on [Intunes driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates.
> Windows Autopatch's driver and firmware update management is based on [Intune's driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates.
## Automatic and Self-managed modes
@ -29,7 +29,7 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
| Modes | Description |
| ----- | -----|
| Automatic | We recommend using **Automatic** mode.<p>Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.</p> |
| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatchs automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
| Self-managed | When you use **Self-managed** mode, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatch's automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
## Set driver and firmware updates to Automatic or Self-managed mode
@ -46,16 +46,16 @@ Switching the toggle between Automatic and Self-managed modes creates driver pro
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Devices** > **Driver updates for Windows 10 and later**.
1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch Driver Update Policy [Test]**.
1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch - Driver Update Policy** and end with the name of the deployment ring to which they're targeted in brackets. For example, **Windows Autopatch - Driver Update Policy [Test]**.
The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table:
| Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays |
| ----- | ----- | ----- | ----- | ----- |
| `CreateDriverUpdatePolicy` | Windows Autopatch Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` |
| `CreateDriverUpdatePolicy`| Windows Autopatch Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` |
| `CreateDriverUpdatePolicy` |Windows Autopatch Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` |
| `CreateDriverUpdatePolicy` | Windows Autopatch Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` |
| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Test**] | Driver Update Policy for device **Test** group | Automatic | `0` |
| `CreateDriverUpdatePolicy`| Windows Autopatch - Driver Update Policy [**First**] | Driver Update Policy for device **First** group | Automatic | `1` |
| `CreateDriverUpdatePolicy` |Windows Autopatch - Driver Update Policy [**Fast**] | Driver Update Policy for device **Fast** group | Automatic | `6` |
| `CreateDriverUpdatePolicy` | Windows Autopatch - Driver Update Policy [**Broad**] | Driver Update Policy for device **Broad** group | Automatic | `9` |
## Feedback and support

6
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
View File

@ -97,10 +97,10 @@ For organizations seeking greater control, you can allow or block Microsoft 365
2. Navigate to the **Devices** > **Release Management** > **Release settings**.
3. Go to the **Microsoft 365 apps updates** section. By default, the **Allow/Block** toggle is set to **Allow**.
4. Turn off the **Allow** toggle to opt out of Microsoft 365 App update policies. You'll see the notification: *Update in process. This setting will be unavailable until the update is complete.*
5. Once the update is complete, youll receive the notification: *This setting is updated.*
5. Once the update is complete, you'll receive the notification: *This setting is updated.*
> [!NOTE]
> If the notification: *This setting couldnt be updated. Please try again or submit a support request.* appears, use the following steps:<ol><li>Refresh your page.</li><li>Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.</li><li>If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md).</li>
> If the notification: *This setting couldn't be updated. Please try again or submit a support request.* appears, use the following steps:<ol><li>Refresh your page.</li><li>Please repeat the same steps in To block Windows Autopatch Microsoft 365 apps updates.</li><li>If the issue persists, [submit a support request](../operate/windows-autopatch-support-request.md).</li>
**To verify if the Microsoft 365 App update setting is set to Allow:**
@ -117,7 +117,7 @@ For organizations seeking greater control, you can allow or block Microsoft 365
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Navigate to **Devices** > **Configuration profiles** > **Profiles**.
3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords “Office Configuration”. The result should return *0 profiles filtered*.
3. The following **five** profiles should be removed from your list of profiles and no longer visible/active. Use the Search with the keywords "Office Configuration". The result should return *0 profiles filtered*.
1. Windows Autopatch - Office Configuration
2. Windows Autopatch - Office Update Configuration [Test]
3. Windows Autopatch - Office Update Configuration [First]

2
windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md
View File

@ -36,7 +36,7 @@ With this feature, IT admins can:
- Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident.
> [!NOTE]
> You can rename your policies to meet your organizations requirements. Do **not** rename the underlying Autopatch deployment groups.
> You can rename your policies to meet your organization's requirements. Do **not** rename the underlying Autopatch deployment groups.
## Check policy health

8
windows/deployment/windows-autopatch/operate/windows-autopatch-unenroll-tenant.md
View File

@ -35,15 +35,15 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
| Responsibility | Description |
| ----- | ----- |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We wont make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
| Windows Autopatch data | Windows Autopatch will delete user data that is within the Windows Autopatch service. We won't make changes to any other data. For more information about how data is used in Windows Autopatch, see [Privacy](../overview/windows-autopatch-privacy.md). |
| Excluding devices | Windows Autopatch will exclude all devices previously registered with the service. Only the Windows Autopatch device record is deleted. We won't delete Microsoft Intune and/or Microsoft Entra device records. For more information, see [Exclude a device](../operate/windows-autopatch-exclude-device.md). |
## Your responsibilities after unenrolling your tenant
| Responsibility | Description |
| ----- | ----- |
| Updates | After the Windows Autopatch service is unenrolled, well no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
| Optional Windows Autopatch configuration | Windows Autopatch wont remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you dont wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). |
| Updates | After the Windows Autopatch service is unenrolled, we'll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
| Optional Windows Autopatch configuration | Windows Autopatch won't remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don't wish to use these policies for your devices after unenrollment, you may safely delete them. For more information, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). |
| Microsoft Intune roles | After unenrollment, you may safely remove the Modern Workplace Intune Admin role. |
## Unenroll from Windows Autopatch
@ -56,4 +56,4 @@ Unenrolling from Windows Autopatch requires manual actions from both you and fro
2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
1. The Windows Autopatch Service Engineering Team proceeds with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
1. The Windows Autopatch Service Engineering Team informs you when unenrollment is complete.
1. Youre responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).
1. You're responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).

2
windows/deployment/windows-autopatch/overview/windows-autopatch-deployment-guide.md
View File

@ -259,7 +259,7 @@ For example, Configuration Manager Software Update Policy settings exclude Autop
| Enable management of the Office 365 Client Agent | No |
> [!NOTE]
> There is no requirement to create a Configuration Manager Software Update Policy if the policies arent in use.
> There is no requirement to create a Configuration Manager Software Update Policy if the policies aren't in use.
#### Existing Mobile Device Management (MDM) policies

2
windows/deployment/windows-autopatch/overview/windows-autopatch-privacy.md
View File

@ -84,7 +84,7 @@ Windows Autopatch creates and uses guest accounts using just-in-time access func
| Account name | Usage | Mitigating controls |
| ----- | ----- | -----|
| MsAdmin@tenantDomain.onmicrosoft.com | <ul><li>This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Windows Autopatch devices.</li><li>This account doesn't have interactive sign-in permissions.The account performs operations only through the service.</li></ul> | Audited sign-ins |
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customers tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li></ul> |
| MsAdminInt@tenantDomain.onmicrosoft.com |<ul><li>This account is an Intune and User administrator account used to define and configure the tenant for Windows Autopatch devices.</li><li>This account is used for interactive login to the customer's tenant.</li><li>The use of this account is limited as most operations are exclusively through MsAdmin (non-interactive) account.</li></ul> | <ul><li>Restricted to be accessed only from defined secure access workstations (SAWs) through a conditional access policy</li><li>Audited sign-ins</li></ul> |
| MsTest@tenantDomain.onmicrosoft.com | This account is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins |
## Microsoft Windows Update for Business

2
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -99,4 +99,4 @@ For more information and assistance with preparing for your Windows Autopatch de
| Review and respond to Windows Autopatch management alerts<ul><li>[Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions)</li><li>[Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md)</li></ul> | :heavy_check_mark: | :x: |
| [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |
| [Manage and respond to support requests](../operate/windows-autopatch-support-request.md#manage-an-active-support-request) | :x: | :heavy_check_mark: |
| Review the [Whats new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |
| Review the [What's new](../whats-new/windows-autopatch-whats-new-2022.md) section to stay up to date with updated feature and service releases | :heavy_check_mark: | :x: |

16
windows/deployment/windows-autopatch/references/windows-autopatch-conflicting-configurations.md
View File

@ -22,7 +22,7 @@ ms.collection:
During Readiness checks, if there are devices with conflicting registry configurations, notifications are listed in the **Not ready** tab. The notifications include a list of alerts that explain why the device isn't ready for updates. Instructions are provided on how to resolve the issue(s). You can review any device marked as **Not ready** and remediate them to a **Ready** state.
Windows Autopatch monitors conflicting configurations. Youre notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, its possible that other services write back the registry keys. Its recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
Windows Autopatch monitors conflicting configurations. You're notified of the specific registry values that prevent Windows from updating properly. These registry keys should be removed to resolve the conflict. However, it's possible that other services write back the registry keys. It's recommended that you review common sources for conflicting configurations to ensure your devices continue to receive Windows Updates.
The most common sources of conflicting configurations include:
@ -47,11 +47,11 @@ Location= HKLM:SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
Windows Autopatch recommends removing the conflicting configurations. The following remediation examples can be used to remove conflicting settings and registry keys when targeted at Autopatch-managed clients.
> [!IMPORTANT]
> **Its recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that arent managed by Windows Autopatch, be sure to target accordingly.
> **It's recommended to only target devices with conflicting configuration alerts**. The following remediation examples can affect devices that aren't managed by Windows Autopatch, be sure to target accordingly.
### Intune Remediation
Navigate to Intune Remediations and create a remediation using the following examples. Its recommended to create a single remediation per value to understand if the value persists after removal.
Navigate to Intune Remediations and create a remediation using the following examples. It's recommended to create a single remediation per value to understand if the value persists after removal.
If you use either [**Detect**](#detect) and/or [**Remediate**](#remediate) actions, ensure to update the appropriate **Path** and **Value** called out in the Alert. For more information, see [Remediations](/mem/intune/fundamentals/remediations).
@ -97,7 +97,7 @@ Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpda
### Batch file
Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service. For more information, see [Using batch files: Scripting; Management Services](/previous-versions/windows/it-pro/windows-server-2003/cc758944(v=ws.10)?redirectedfrom=MSDN).
Copy and paste the following code into a text editor, and save it with a `.cmd` extension, and execute against affected devices. This command removes registry keys that affect the Windows Autopatch service.
```cmd
@echo off
@ -128,15 +128,15 @@ Windows Registry Editor Version 5.00
## Common sources of conflicting configurations
The following examples can be used to validate if the configuration is persistent from one of the following services. The list isnt an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly.
The following examples can be used to validate if the configuration is persistent from one of the following services. The list isn't an exhaustive, and Admins should be aware that changes can affect devices not managed by Windows Autopatch and should plan accordingly.
### Group Policy management
Group Policy management is the most popular client configuration tool in most organizations. For this reason, its most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.
Group Policy management is the most popular client configuration tool in most organizations. For this reason, it's most often the source of conflicting configurations. Use Result Set of Policy (RSOP) on an affected client can quickly identify if configured policies conflict with Windows Autopatch. For more information, see Use Resultant Set of Policy to Manage Group Policy.
1. Launch an Elevated Command Prompt and enter `RSOP`.
1. Navigate to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Update**
1. If a Policy **doesnt exist** in Windows Update, then it appears to not be Group Policy.
1. If a Policy **doesn't exist** in Windows Update, then it appears to not be Group Policy.
1. If a Policy **exists** in Windows Update is present, modify or limit the target of the conflicting policy to resolve the Alert.
1. If the **Policy name** is labeled **Local Group Policy**, these settings could have been applied during imaging or by Configuration Manager.
@ -146,7 +146,7 @@ Configuration Manager is a common enterprise management tool that, among many th
1. Go the **Microsoft Endpoint Configuration Manager Console**.
1. Navigate to **Administration** > **Overview** > **Client Settings**.
1. Ensure **Software Updates** isnt configured. If configured, its recommended to remove these settings to prevent conflicts with Windows Autopatch.
1. Ensure **Software Updates** isn't configured. If configured, it's recommended to remove these settings to prevent conflicts with Windows Autopatch.
## Third-party solutions

10
windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
View File

@ -20,7 +20,7 @@ ms.collection:
The following policies contain settings that apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
**Modern Workplace Update Policy [ring name] [Windows Autopatch]**
**Modern Workplace Update Policy [ring name] - [Windows Autopatch]**
### Windows 10 and later update settings
@ -52,7 +52,7 @@ The following policies contain settings that apply to both Windows quality and f
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Included groups | Modern Workplace DevicesWindows Autopatch-Test | Modern Workplace DevicesWindows Autopatch-First | Modern Workplace DevicesWindows Autopatch-Fast | Modern Workplace DevicesWindows Autopatch-Broad |
| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad |
| Excluded groups | None | None | None | None |
## Windows feature update policies
@ -76,8 +76,8 @@ These policies control the minimum target version of Windows that a device is me
| Setting name | Test | First | Fast | Broad |
| ----- | ----- | ----- | ----- | ----- |
| Included groups | Modern Workplace DevicesWindows Autopatch-Test | Modern Workplace DevicesWindows Autopatch-First | Modern Workplace DevicesWindows Autopatch-Fast | Modern Workplace DevicesWindows Autopatch-Broad |
| Excluded groups | Modern Workplace Windows 11 Pre-Release Test Devices | Modern Workplace Windows 11 Pre-Release Test Devices | Modern Workplace Windows 11 Pre-Release Test Devices | Modern Workplace Windows 11 Pre-Release Test Devices |
| Included groups | Modern Workplace Devices-Windows Autopatch-Test | Modern Workplace Devices-Windows Autopatch-First | Modern Workplace Devices-Windows Autopatch-Fast | Modern Workplace Devices-Windows Autopatch-Broad |
| Excluded groups | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices | Modern Workplace - Windows 11 Pre-Release Test Devices |
#### Windows 11 testing
@ -94,7 +94,7 @@ To allow customers to test Windows 11 in their environment, there's a separate D
| Setting name | Test |
| ----- | ----- |
| Included groups | Modern Workplace Windows 11 Pre-Release Test Devices |
| Included groups | Modern Workplace - Windows 11 Pre-Release Test Devices |
| Excluded groups | None |
## Conflicting and unsupported policies

2
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -34,7 +34,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
| [MC697414](https://admin.microsoft.com/adminportal/home#/MessageCenter) | New Feature: Alerts for Windows Autopatch policy conflicts Public Preview announcement |
| [MC695483](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Windows Autopatch configuration update December 2023 |
| [MC695483](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Planned Maintenance: Windows Autopatch configuration update - December 2023 |
## November service release

7
windows/hub/docfx.json
View File

@ -45,7 +45,7 @@
"ms.service": "windows-client",
"ms.subservice": "itpro-fundamentals",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-hub",
@ -64,7 +64,8 @@
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
"American-Dipper",
"shdyas"
]
},
"fileMetadata": {},
@ -72,4 +73,4 @@
"dest": "windows-hub",
"markdownEngineName": "markdig"
}
}
}

21
windows/privacy/docfx.json
View File

@ -40,11 +40,11 @@
"ms.service": "windows-client",
"ms.subservice": "itpro-privacy",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.privacy",
"folder_relative_path_in_docset": "./"
"folder_relative_path_in_docset": "./"
}
},
"titleSuffix": "Windows Privacy",
@ -59,13 +59,16 @@
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
"American-Dipper",
"shdyas"
]
},
"searchScope": ["Windows 10"]
"searchScope": [
"Windows 10"
]
},
"fileMetadata": {},
"template": [],
"dest": "privacy",
"markdownEngineName": "markdig"
}
"fileMetadata": {},
"template": [],
"dest": "privacy",
"markdownEngineName": "markdig"
}

13
windows/security/docfx.json
View File

@ -46,7 +46,7 @@
"ms.localizationpriority": "medium",
"manager": "aaroncz",
"feedback_system": "Standard",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.security",
@ -68,14 +68,15 @@
"beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
"American-Dipper",
"shdyas"
],
"searchScope": [
"Windows 10"
]
},
"fileMetadata": {
"author":{
"author": {
"application-security//**/*.md": "vinaypamnani-msft",
"application-security//**/*.yml": "vinaypamnani-msft",
"application-security/application-control/windows-defender-application-control/**/*.md": "jsuther1974",
@ -93,7 +94,7 @@
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
"operating-system-security/network-security/**/*.yml": "paolomatarazzo"
},
"ms.author":{
"ms.author": {
"application-security//**/*.md": "vinpa",
"application-security//**/*.yml": "vinpa",
"application-security/application-control/windows-defender-application-control/**/*.md": "jsuther",
@ -218,7 +219,7 @@
"identity-protection/virtual-smart-cards/*.md": "ardenw",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
"operating-system-security/data-protection/personal-data-encryption/*.md": "rhonnegowda",
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
@ -234,4 +235,4 @@
"dest": "security",
"markdownEngineName": "markdig"
}
}
}

BIN
windows/security/hardware-security/images/pluton/pluton-firmware-load.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 197 KiB

After

Width:  |  Height:  |  Size: 752 KiB

BIN
windows/security/hardware-security/images/pluton/pluton-security-architecture.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 74 KiB

After

Width:  |  Height:  |  Size: 526 KiB

14
windows/security/hardware-security/pluton/microsoft-pluton-security-processor.md
View File

@ -2,20 +2,20 @@
title: Microsoft Pluton security processor
description: Learn more about Microsoft Pluton security processor
ms.topic: conceptual
ms.date: 07/31/2023
ms.date: 02/19/2024
---
# Microsoft Pluton security processor
Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon&reg; 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
## What is Microsoft Pluton?
Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC.
Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker installs malware or has complete physical possession of the PC.
Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) and deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for other Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/).
@ -28,17 +28,17 @@ Pluton Security subsystem consists of the following layers:
| | Description |
|--|--|
| **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. |
| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) |
| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For more information, see [Firmware load flow](#firmware-load-flow) |
| **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. |
## Firmware load flow
When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process:
When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware isn't available, Windows uses the firmware that was loaded during the hardware initialization. This diagram illustrates this process:
![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
[!INCLUDE [microsoft-pluton](../../../../includes/licensing/microsoft-pluton.md)]
## Related topics
## Related articles
[Microsoft Pluton as TPM](pluton-as-tpm.md)

10
windows/security/hardware-security/pluton/pluton-as-tpm.md
View File

@ -2,16 +2,16 @@
title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
ms.topic: conceptual
ms.date: 07/31/2023
ms.date: 02/19/2024
---
# Microsoft Pluton as Trusted Platform Module
Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard.
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material.
As with other TPMs, credentials, encryption keys, and other sensitive information can't be easily extracted from Pluton even if an attacker installs malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution can't access key material.
Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates.
Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from various sources, which can make it difficult for them to apply these updates.
To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features).
@ -25,7 +25,7 @@ Pluton is integrated within the SoC subsystem, and provides a flexible, updatabl
Devices with Ryzen 6000 and Qualcomm Snapdragon&reg; 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM.
UEFI setup options differ from product to product. Visit the product website and check for guidance to enable Pluton as TPM.
> [!WARNING]
> If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive.
@ -35,6 +35,6 @@ UEFI setup options differ from product to product, visit the product website and
> [!TIP]
> On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit.
## Related topics
## Related articles
[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)

1
windows/security/introduction.md
View File

@ -12,6 +12,7 @@ content_well_notification:
author: paolomatarazzo
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ai-usage: ai-assisted
---
# Introduction to Windows security

222
windows/security/operating-system-security/network-security/windows-firewall/dynamic-keywords.md Normal file
View File

@ -0,0 +1,222 @@
---
title: Windows Firewall dynamic keywords
description: Learn about Windows Firewall dynamic keywords and how to configure it using Windows PowerShell.
ms.topic: how-to
ms.date: 01/16/2024
---
# Windows Firewall dynamic keywords
> [!IMPORTANT]
>This article describes features or settings that are in preview. The content is subject to change and may have dependencies on other features or services in preview.
Windows Firewall includes a functionality called *dynamic keywords*, which simplifies the configuration and management of Windows Firewall.
With dynamic keywords, you can define a set of IP address ranges, fully qualified domain names (FQDNs), and **autoresolution** options, to which one or more Firewall rules can refer.
## Configure dynamic keywords
To configure dynamic keywords, you can use:
- [Firewall CSP][CSP-1], which can be used with a Mobile Device Management (MDM) solution like Microsoft Intune
- Windows PowerShell
> [!TIP]
> Microsoft Intune offers a simplified management experience called *reusable settings groups*. For more information, see [Add reusable settings groups to profiles for Firewall rules][MEM-1].
This article describes how to configure dynamic keywords using Windows PowerShell.
## Dynamic keywords and Fully Qualified Domain Names (FQDN)
Dynamic keywords can be configured by defining a set of IP address ranges or FQDNs. Here are important things to consider when using FQDNs:
- FQDN support is for reducing the overhead of managing IP rules where IP addresses are dynamic and change frequently
- FQDNs aren't a replacement for IP addresses in all scenarios. IP addresses should be used when possible, for security and performance reasons
- FQDN rules can affect performance on the endpoint, caused by DNS latency and other factors
- FQDN isn't a secure DNS service. The FQDN resolution uses the default DNS configuration of the endpoint
- An FQDN rule requires a DNS query to happen for that FQDN to be resolved to an IP address. Traffic to IP addresses must generate a DNS query for FQDN rules
- Limitations include: websites accessed via proxy, secure DNS services, certain VPN tunnel configurations, cached IPs on the endpoint
- While Partially Qualified Domain Names (PQDNs) are allowed, FQDNs are preferred. Wildcards `*` are supported for hosts, for example `*.contoso.com`
Two examples of FQDN rules are:
- Block all outbound and inbound by default and allow specific outbound traffic
- Block all inbound by default and block some specific outbound traffic
> [!NOTE]
> Inbound FQDN rules aren't natively supported. However, it's possible to use *pre-hydration* scripts to generate inbound IP entries for the rules.
> [!CAUTION]
> The default configuration of *Blocked for Outbound* rules can be considered for certain highly secure environments. However, the *Inbound* rule configuration should never be changed in a way that allows traffic by default.
In high security environments, an inventory of all apps should be maintained. Records should include whether an app requires network connectivity. Administrators should create new rules specific to each app that needs network connectivity, and push those rules centrally, using a device management solution.
### Functions and known limitations
The Windows Firewall FQDN feature uses the Network Protection external callout driver, to inspect DNS responses where the DNS query matches FQDN rules. Some important functions and limitations of the feature are:
- The Network Protection component doesn't periodically execute DNS queries. It requires an application to execute a DNS query
- Windows Firewall flushes all stored resolved IP addresses on device restart
- Network protection doesn't synchronously inspect the DNS response, as it doesn't hold the UDP packet during inspection. The result is a potential condition where an application, after receiving the DNS response, attempts to connect, but gets blocked if it's faster than the firewall rule update
- Generally, applications have retry logic for an initial failed connection and as a result the issue is transparent to the end user
- On occasion a component might not have retry logic on initial connection fail. Which is solved in two ways:
- The user can hit *refresh* in the application they're using, and it should connect successfully
- Administrators can use the *prehydration* scripts tactfully, where this condition is occurring in their environment
### FQDN Feature requirements
The following are requirements for the FQDN feature:
- Microsoft Defender Antivirus must be turned on and running platform version `4.18.2209.7` or later.
- To verify, open [Windows Security](windowsdefender://) and select **Settings** > **About**
- Network Protection must be in *block* or *audit* mode. For more information, see [Check if network protection is enabled][M365-1].
- DNS over HTTPS (DoH) must be disabled. To configure your preferred browser, you can use the following settings:
- [Microsoft Edge][EDGE-1]
- [Chrome][HTTP-1]
- [Firefox][HTTP-2]
- The device's default DNS resolution settings apply. This feature doesn't provide DNS security or functionality changes
> [!TIP]
> You can also download the ADMX file from there, follow the directions, and configure it via gpedit.msc for local testing.
## Manage dynamic keywords with Windows PowerShell
This section provides some examples how to manage dynamic keywords using Windows PowerShell. A few important things to consider when using dynamic keywords are:
- All dynamic keyword objects must have a unique identifier (GUID) to represent them
- A firewall rule can use dynamic keywords instead of explicitly defining IP addresses for its conditions
- A firewall rule can use both dynamic keywords and statically defined address ranges
- A dynamic keyword object can be reused across multiple firewall rules
- If a firewall rule doesn't have any configured remote addresses, then the rule isn't enforced. For example, if a rule is configured with only `AutoResolve` objects that aren't yet resolved
- If a rule uses multiple dynamic keywords, then the rule is enforced for all addresses that are *currently* resolved. The rule is enforced even if there are unresolved objects. When a dynamic keyword address is updated, all associated rule objects have their remote addresses updated
- Windows doesn't enforce any dependencies between a rule and a dynamic keyword address, and either object can be created first. A rule can reference dynamic keyword IDs that don't yet exist, in which case the rule isn't enforced
- You can delete a dynamic keyword address, even if it's in use by a firewall rule
### Allow Outbound
Here's an example script to allow an FQDN from PowerShell. Replace the `$fqdn` variable value with the FQDN you wish to block (line #1):
```PowerShell
$fqdn = 'contoso.com'
$id = '{' + (new-guid).ToString() + '}'
New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true
New-NetFirewallRule -DisplayName "allow $fqdn" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
```
Dynamic keyword addresses can be created with the `AutoResolve` parameter set to `$true` or `$false`. If `AutoResolve` is set to `$true`, then Windows attempts to resolve the keyword to an IP address.
### Block Outbound
Here's an example script to block an FQDN from PowerShell. Replace the `$fqdn` variable value with the FQDN you wish to block (line #1):
```PowerShell
$fqdn = 'contoso.com'
$id = '{' + (new-guid).ToString() + '}'
New-NetFirewallDynamicKeywordAddress -id $id -Keyword $fqdn -AutoResolve $true
New-NetFirewallRule -DisplayName "block $fqdn" -Action Block -Direction Outbound -RemoteDynamicKeywordAddresses $id
```
### Display Auto resolve rules and associated resolved IP addresses
This example shows how to display all dynamic keyword addresses that have the `AutoResolve` parameter set to `$true` and the associated resolved IP addresses.
```PowerShell
Get-NetFirewallDynamicKeywordAddress -AllAutoResolve
```
> [!NOTE]
> IP addresses will not populate until DNS query is observed.
### Hydrate FQDN rules
The following sample scripts read the current Windows Firewall configuration, extract FQDN-based rules, and perform DNS resolution on each domain. The result is that the IP addresses for those rules get "prehydrated."
```PowerShell
Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
ForEach-Object {
if(!$_.Keyword.Contains("*")) {
Write-Host "Getting" $_.Keyword
resolve-dnsname -Name $_.Keyword -DNSOnly | out-null
}
}
```
A similar script can be used to perform DNS resolution using `nslookup.exe`:
```PowerShell
Get-NetFirewallDynamicKeywordAddress -AllAutoResolve |`
ForEach-Object {
if(!$_.Keyword.Contains("*")) {
Write-Host "Getting" $_.Keyword
nslookup $_.Keyword
}
}
```
If using `nslookup.exe`, you must create an outbound firewall rule when using the *block all outbound* posture. Here's the command to create the outbound rule for `nslookup.exe`:
```PowerShell
$appName = 'nslookup'
$appPath = 'C:\Windows\System32\nslookup.exe'
New-NetFirewallRule -DisplayName "allow $appName" -Program $appPath -Action Allow -Direction Outbound -Protocol UDP -RemotePort 53
```
### Block all outbound and allow some FQDNs
In the next example, a list of applications is parsed for FQDN evaluation. The FQDNs listed in the scripts were observed when inspecting traffic on the first launch of Microsoft Edge.
> [!IMPORTANT]
> This is not a complete list nor a recommendation. It's an example of how an application should be evaluated to ensure proper connectivity and function.
To learn more about Microsoft Edge requirements for Internet connectivity, see [allowlist for Microsoft Edge endpoints][EDGE-4].
```PowerShell
$domains = @(
'*.microsoft.com',
'*.msftconnecttest.com',
'assets.msn.com',
'client.wns.windows.com',
'config.edge.skype.com',
'ctldl.windowsupdate.com',
'dns.msftncsi.com',
'login.live.com',
'ntp.msn.com'
)
foreach ($domain in $domains) {
$id = '{' + (New-Guid).ToString() + '}'
New-NetFirewallDynamicKeywordAddress -Id $id -Keyword $domain -AutoResolve $true
New-NetFirewallRule -DisplayName "allow $domain" -Action Allow -Direction Outbound -RemoteDynamicKeywordAddresses $id
}
```
For more information about the PowerShell cmdlets used to manage dynamic keywords, see:
- [Get-NetFirewallDynamicKeywordAddress][PS-1]
- [New-NetFirewallDynamicKeywordAddress][PS-2]
- [Remove-NetFirewallDynamicKeywordAddress][PS-3]
- [Update-NetFirewallDynamicKeywordAddress][PS-4]
For information about the API structure, see [Firewall dynamic keywords][WIN-1].
<!--links-->
[CSP-1]: /windows/client-management/mdm/firewall-csp
[EDGE-1]: /deployedge/microsoft-edge-policies#control-the-mode-of-dns-over-https
[EDGE-2]: /deployedge/microsoft-edge-policies#builtindnsclientenabled
[EDGE-3]: /deployedge/configure-microsoft-edge
[EDGE-4]: /deployedge/microsoft-edge-security-endpoints
[HTTP-1]: https://chromeenterprise.google/policies?policy=DnsOverHttpsMode
[HTTP-2]: https://support.mozilla.org/kb/firefox-dns-over-https
[M365-1]: /microsoft-365/security/defender-endpoint/enable-network-protection#check-if-network-protection-is-enabled
[MEM-1]: /mem/intune/protect/endpoint-security-firewall-policy#add-reusable-settings-groups-to-profiles-for-firewall-rules
[PS-1]: /powershell/module/netsecurity/get-netfirewalldynamickeywordaddress
[PS-2]: /powershell/module/netsecurity/new-netfirewalldynamickeywordaddress
[PS-3]: /powershell/module/netsecurity/remove-netfirewalldynamickeywordaddress
[PS-4]: /powershell/module/netsecurity/update-netfirewalldynamickeywordaddress
[WIN-1]: /windows/win32/ics/firewall-dynamic-keywords

2
windows/security/operating-system-security/network-security/windows-firewall/toc.yml
View File

@ -13,6 +13,8 @@ items:
href: configure.md
- name: Configure with command line tools
href: configure-with-command-line.md
- name: Dynamic keywords
href: dynamic-keywords.md
- name: Hyper-V firewall
href: hyper-v-firewall.md
- name: Troubleshoot

14
windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
View File

@ -47,6 +47,10 @@ Enhanced Phishing Protection can be configured via Microsoft Intune, Group Polic
| Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<li> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. |
| Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<li> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.</li><li> If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. |
Enhanced Phishing Protection allows organizations to add their custom identity provider sign-in URL as a recognized URL. Then Enhanced Phishing Protection doesn't consider Microsoft passwords typed into an internal identity provider (IdP) as unknown or password reuse. Without knowledge of an enterprise's custom identity provider URL, SmartScreen might not have enough information about the URL. If you configure warning dialogs for Enhanced Phishing Protection, it might show an unsafe password usage dialog to the user entering their Microsoft password into the URL.
To add your organization's custom sign-in URL to Enhanced Phishing Protection, configure the `EnableWebSignIn` policy in the [Authentication Policy CSP](/windows/client-management/mdm/policy-csp-authentication#enablewebsignin). For more information, see [Web sign-in for Windows](../../../identity-protection/web-sign-in/index.md).
Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
#### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -91,7 +95,7 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
| Setting | Default Value | Recommendation |
|---------------------------|------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.<br>**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence |
| Automatic Data Collection | **Enabled** for domain joined devices or devices enrolled with MDM.<br>**Disabled** for all other devices. | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
| Service Enabled | **Enabled** | **Enabled**:Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
| Notify Malicious | **Disabled** for devices onboarded to MDE.<br>**Enabled** for all other devices. | **Enabled**:Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
| Notify Password Reuse | **Disabled** | **Enabled**:Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
@ -99,14 +103,6 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
| Setting | Default Value | Recommendation |
|---------------------------|------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Automatic Data Collection | **Disabled** for domain joined devices or devices enrolled with MDM.<br>**Enabled** for all other devices. | **Enabled**: Turns on collection of additional content when users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious. |
| Service Enabled | **Enabled** | **Enabled**:Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
| Notify Malicious | **Disabled** for devices onboarded to MDE.<br>**Enabled** for all other devices. | **Enabled**:Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
| Notify Password Reuse | **Disabled** | **Enabled**:Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
| Notify Unsafe App | **Disabled** | **Enabled**:Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
#### [:::image type="icon" source="../../../images/icons/intune.svg"::: **Intune**](#tab/intune)
| Settings catalog element | Recommended value |

767
windows/security/threat-protection/auditing/TOC.yml
View File

@ -1,767 +0,0 @@
- name: Security auditing
href: security-auditing-overview.md
items:
- name: Basic security audit policies
href: basic-security-audit-policies.md
items:
- name: Create a basic audit policy for an event category
href: create-a-basic-audit-policy-settings-for-an-event-category.md
- name: Apply a basic audit policy on a file or folder
href: apply-a-basic-audit-policy-on-a-file-or-folder.md
- name: View the security event log
href: view-the-security-event-log.md
- name: Basic security audit policy settings
href: basic-security-audit-policy-settings.md
items:
- name: Audit account logon events
href: basic-audit-account-logon-events.md
- name: Audit account management
href: basic-audit-account-management.md
- name: Audit directory service access
href: basic-audit-directory-service-access.md
- name: Audit logon events
href: basic-audit-logon-events.md
- name: Audit object access
href: basic-audit-object-access.md
- name: Audit policy change
href: basic-audit-policy-change.md
- name: Audit privilege use
href: basic-audit-privilege-use.md
- name: Audit process tracking
href: basic-audit-process-tracking.md
- name: Audit system events
href: basic-audit-system-events.md
- name: Advanced security audit policies
href: advanced-security-auditing.md
items:
- name: Planning and deploying advanced security audit policies
href: planning-and-deploying-advanced-security-audit-policies.md
- name: Advanced security auditing FAQ
href: advanced-security-auditing-faq.yml
items:
- name: Which editions of Windows support advanced audit policy configuration
href: which-editions-of-windows-support-advanced-audit-policy-configuration.md
- name: How to list XML elements in \<EventData>
href: how-to-list-xml-elements-in-eventdata.md
- name: Using advanced security auditing options to monitor dynamic access control objects
href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
items:
- name: Monitor the central access policies that apply on a file server
href: monitor-the-central-access-policies-that-apply-on-a-file-server.md
- name: Monitor the use of removable storage devices
href: monitor-the-use-of-removable-storage-devices.md
- name: Monitor resource attribute definitions
href: monitor-resource-attribute-definitions.md
- name: Monitor central access policy and rule definitions
href: monitor-central-access-policy-and-rule-definitions.md
- name: Monitor user and device claims during sign-in
href: monitor-user-and-device-claims-during-sign-in.md
- name: Monitor the resource attributes on files and folders
href: monitor-the-resource-attributes-on-files-and-folders.md
- name: Monitor the central access policies associated with files and folders
href: monitor-the-central-access-policies-associated-with-files-and-folders.md
- name: Monitor claim types
href: monitor-claim-types.md
- name: Advanced security audit policy settings
href: advanced-security-audit-policy-settings.md
items:
- name: Audit Credential Validation
href: audit-credential-validation.md
- name: "Event 4774 S, F: An account was mapped for logon."
href: event-4774.md
- name: "Event 4775 F: An account could not be mapped for logon."
href: event-4775.md
- name: "Event 4776 S, F: The computer attempted to validate the credentials for an account."
href: event-4776.md
- name: "Event 4777 F: The domain controller failed to validate the credentials for an account."
href: event-4777.md
- name: Audit Kerberos Authentication Service
href: audit-kerberos-authentication-service.md
items:
- name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested."
href: event-4768.md
- name: "Event 4771 F: Kerberos pre-authentication failed."
href: event-4771.md
- name: "Event 4772 F: A Kerberos authentication ticket request failed."
href: event-4772.md
- name: Audit Kerberos Service Ticket Operations
href: audit-kerberos-service-ticket-operations.md
items:
- name: "Event 4769 S, F: A Kerberos service ticket was requested."
href: event-4769.md
- name: "Event 4770 S: A Kerberos service ticket was renewed."
href: event-4770.md
- name: "Event 4773 F: A Kerberos service ticket request failed."
href: event-4773.md
- name: Audit Other Account Logon Events
href: audit-other-account-logon-events.md
- name: Audit Application Group Management
href: audit-application-group-management.md
- name: Audit Computer Account Management
href: audit-computer-account-management.md
items:
- name: "Event 4741 S: A computer account was created."
href: event-4741.md
- name: "Event 4742 S: A computer account was changed."
href: event-4742.md
- name: "Event 4743 S: A computer account was deleted."
href: event-4743.md
- name: Audit Distribution Group Management
href: audit-distribution-group-management.md
items:
- name: "Event 4749 S: A security-disabled global group was created."
href: event-4749.md
- name: "Event 4750 S: A security-disabled global group was changed."
href: event-4750.md
- name: "Event 4751 S: A member was added to a security-disabled global group."
href: event-4751.md
- name: "Event 4752 S: A member was removed from a security-disabled global group."
href: event-4752.md
- name: "Event 4753 S: A security-disabled global group was deleted."
href: event-4753.md
- name: Audit Other Account Management Events
href: audit-other-account-management-events.md
items:
- name: "Event 4782 S: The password hash of an account was accessed."
href: event-4782.md
- name: "Event 4793 S: The Password Policy Checking API was called."
href: event-4793.md
- name: Audit Security Group Management
href: audit-security-group-management.md
items:
- name: "Event 4731 S: A security-enabled local group was created."
href: event-4731.md
- name: "Event 4732 S: A member was added to a security-enabled local group."
href: event-4732.md
- name: "Event 4733 S: A member was removed from a security-enabled local group."
href: event-4733.md
- name: "Event 4734 S: A security-enabled local group was deleted."
href: event-4734.md
- name: "Event 4735 S: A security-enabled local group was changed."
href: event-4735.md
- name: "Event 4764 S: A group<75>s type was changed."
href: event-4764.md
- name: "Event 4799 S: A security-enabled local group membership was enumerated."
href: event-4799.md
- name: Audit User Account Management
href: audit-user-account-management.md
items:
- name: "Event 4720 S: A user account was created."
href: event-4720.md
- name: "Event 4722 S: A user account was enabled."
href: event-4722.md
- name: "Event 4723 S, F: An attempt was made to change an account's password."
href: event-4723.md
- name: "Event 4724 S, F: An attempt was made to reset an account's password."
href: event-4724.md
- name: "Event 4725 S: A user account was disabled."
href: event-4725.md
- name: "Event 4726 S: A user account was deleted."
href: event-4726.md
- name: "Event 4738 S: A user account was changed."
href: event-4738.md
- name: "Event 4740 S: A user account was locked out."
href: event-4740.md
- name: "Event 4765 S: SID History was added to an account."
href: event-4765.md
- name: "Event 4766 F: An attempt to add SID History to an account failed."
href: event-4766.md
- name: "Event 4767 S: A user account was unlocked."
href: event-4767.md
- name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups."
href: event-4780.md
- name: "Event 4781 S: The name of an account was changed."
href: event-4781.md
- name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password."
href: event-4794.md
- name: "Event 4798 S: A user's local group membership was enumerated."
href: event-4798.md
- name: "Event 5376 S: Credential Manager credentials were backed up."
href: event-5376.md
- name: "Event 5377 S: Credential Manager credentials were restored from a backup."
href: event-5377.md
- name: Audit DPAPI Activity
href: audit-dpapi-activity.md
items:
- name: "Event 4692 S, F: Backup of data protection master key was attempted."
href: event-4692.md
- name: "Event 4693 S, F: Recovery of data protection master key was attempted."
href: event-4693.md
- name: "Event 4694 S, F: Protection of auditable protected data was attempted."
href: event-4694.md
- name: "Event 4695 S, F: Unprotection of auditable protected data was attempted."
href: event-4695.md
- name: Audit PNP Activity
href: audit-pnp-activity.md
items:
- name: "Event 6416 S: A new external device was recognized by the System."
href: event-6416.md
- name: "Event 6419 S: A request was made to disable a device."
href: event-6419.md
- name: "Event 6420 S: A device was disabled."
href: event-6420.md
- name: "Event 6421 S: A request was made to enable a device."
href: event-6421.md
- name: "Event 6422 S: A device was enabled."
href: event-6422.md
- name: "Event 6423 S: The installation of this device is forbidden by system policy."
href: event-6423.md
- name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy."
href: event-6424.md
- name: Audit Process Creation
href: audit-process-creation.md
items:
- name: "Event 4688 S: A new process has been created."
href: event-4688.md
- name: "Event 4696 S: A primary token was assigned to process."
href: event-4696.md
- name: Audit Process Termination
href: audit-process-termination.md
items:
- name: "Event 4689 S: A process has exited."
href: event-4689.md
- name: Audit RPC Events
href: audit-rpc-events.md
items:
- name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted."
href: event-5712.md
- name: Audit Token Right Adjusted
href: audit-token-right-adjusted.md
items:
- name: "Event 4703 S: A user right was adjusted."
href: event-4703.md
- name: Audit Detailed Directory Service Replication
href: audit-detailed-directory-service-replication.md
items:
- name: "Event 4928 S, F: An Active Directory replica source naming context was established."
href: event-4928.md
- name: "Event 4929 S, F: An Active Directory replica source naming context was removed."
href: event-4929.md
- name: "Event 4930 S, F: An Active Directory replica source naming context was modified."
href: event-4930.md
- name: "Event 4931 S, F: An Active Directory replica destination naming context was modified."
href: event-4931.md
- name: "Event 4934 S: Attributes of an Active Directory object were replicated."
href: event-4934.md
- name: "Event 4935 F: Replication failure begins."
href: event-4935.md
- name: "Event 4936 S: Replication failure ends."
href: event-4936.md
- name: "Event 4937 S: A lingering object was removed from a replica."
href: event-4937.md
- name: Audit Directory Service Access
href: audit-directory-service-access.md
items:
- name: "Event 4662 S, F: An operation was performed on an object."
href: event-4662.md
- name: "Event 4661 S, F: A handle to an object was requested."
href: event-4661.md
- name: Audit Directory Service Changes
href: audit-directory-service-changes.md
items:
- name: "Event 5136 S: A directory service object was modified."
href: event-5136.md
- name: "Event 5137 S: A directory service object was created."
href: event-5137.md
- name: "Event 5138 S: A directory service object was undeleted."
href: event-5138.md
- name: "Event 5139 S: A directory service object was moved."
href: event-5139.md
- name: "Event 5141 S: A directory service object was deleted."
href: event-5141.md
- name: Audit Directory Service Replication
href: audit-directory-service-replication.md
items:
- name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun."
href: event-4932.md
- name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended."
href: event-4933.md
- name: Audit Account Lockout
href: audit-account-lockout.md
items:
- name: "Event 4625 F: An account failed to log on."
href: event-4625.md
- name: Audit User/Device Claims
href: audit-user-device-claims.md
items:
- name: "Event 4626 S: User/Device claims information."
href: event-4626.md
- name: Audit Group Membership
href: audit-group-membership.md
items:
- name: "Event 4627 S: Group membership information."
href: event-4627.md
- name: Audit IPsec Extended Mode
href: audit-ipsec-extended-mode.md
- name: Audit IPsec Main Mode
href: audit-ipsec-main-mode.md
- name: Audit IPsec Quick Mode
href: audit-ipsec-quick-mode.md
- name: Audit Logoff
href: audit-logoff.md
items:
- name: "Event 4634 S: An account was logged off."
href: event-4634.md
- name: "Event 4647 S: User initiated logoff."
href: event-4647.md
- name: Audit Logon
href: audit-logon.md
items:
- name: "Event 4624 S: An account was successfully logged on."
href: event-4624.md
- name: "Event 4625 F: An account failed to log on."
href: event-4625.md
- name: "Event 4648 S: A logon was attempted using explicit credentials."
href: event-4648.md
- name: "Event 4675 S: SIDs were filtered."
href: event-4675.md
- name: Audit Network Policy Server
href: audit-network-policy-server.md
- name: Audit Other Logon/Logoff Events
href: audit-other-logonlogoff-events.md
items:
- name: "Event 4649 S: A replay attack was detected."
href: event-4649.md
- name: "Event 4778 S: A session was reconnected to a Window Station."
href: event-4778.md
- name: "Event 4779 S: A session was disconnected from a Window Station."
href: event-4779.md
- name: "Event 4800 S: The workstation was locked."
href: event-4800.md
- name: "Event 4801 S: The workstation was unlocked."
href: event-4801.md
- name: "Event 4802 S: The screen saver was invoked."
href: event-4802.md
- name: "Event 4803 S: The screen saver was dismissed."
href: event-4803.md
- name: "Event 5378 F: The requested credentials delegation was disallowed by policy."
href: event-5378.md
- name: "Event 5632 S, F: A request was made to authenticate to a wireless network."
href: event-5632.md
- name: "Event 5633 S, F: A request was made to authenticate to a wired network."
href: event-5633.md
- name: Audit Special Logon
href: audit-special-logon.md
items:
- name: "Event 4964 S: Special groups have been assigned to a new logon."
href: event-4964.md
- name: "Event 4672 S: Special privileges assigned to new logon."
href: event-4672.md
- name: Audit Application Generated
href: audit-application-generated.md
- name: Audit Certification Services
href: audit-certification-services.md
- name: Audit Detailed File Share
href: audit-detailed-file-share.md
items:
- name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access."
href: event-5145.md
- name: Audit File Share
href: audit-file-share.md
items:
- name: "Event 5140 S, F: A network share object was accessed."
href: event-5140.md
- name: "Event 5142 S: A network share object was added."
href: event-5142.md
- name: "Event 5143 S: A network share object was modified."
href: event-5143.md
- name: "Event 5144 S: A network share object was deleted."
href: event-5144.md
- name: "Event 5168 F: SPN check for SMB/SMB2 failed."
href: event-5168.md
- name: Audit File System
href: audit-file-system.md
items:
- name: "Event 4656 S, F: A handle to an object was requested."
href: event-4656.md
- name: "Event 4658 S: The handle to an object was closed."
href: event-4658.md
- name: "Event 4660 S: An object was deleted."
href: event-4660.md
- name: "Event 4663 S: An attempt was made to access an object."
href: event-4663.md
- name: "Event 4664 S: An attempt was made to create a hard link."
href: event-4664.md
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: "Event 5051: A file was virtualized."
href: event-5051.md
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: Audit Filtering Platform Connection
href: audit-filtering-platform-connection.md
items:
- name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network."
href: event-5031.md
- name: "Event 5150: The Windows Filtering Platform blocked a packet."
href: event-5150.md
- name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet."
href: event-5151.md
- name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections."
href: event-5154.md
- name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections."
href: event-5155.md
- name: "Event 5156 S: The Windows Filtering Platform has permitted a connection."
href: event-5156.md
- name: "Event 5157 F: The Windows Filtering Platform has blocked a connection."
href: event-5157.md
- name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port."
href: event-5158.md
- name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port."
href: event-5159.md
- name: Audit Filtering Platform Packet Drop
href: audit-filtering-platform-packet-drop.md
items:
- name: "Event 5152 F: The Windows Filtering Platform blocked a packet."
href: event-5152.md
- name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet."
href: event-5153.md
- name: Audit Handle Manipulation
href: audit-handle-manipulation.md
items:
- name: "Event 4690 S: An attempt was made to duplicate a handle to an object."
href: event-4690.md
- name: Audit Kernel Object
href: audit-kernel-object.md
items:
- name: "Event 4656 S, F: A handle to an object was requested."
href: event-4656.md
- name: "Event 4658 S: The handle to an object was closed."
href: event-4658.md
- name: "Event 4660 S: An object was deleted."
href: event-4660.md
- name: "Event 4663 S: An attempt was made to access an object."
href: event-4663.md
- name: Audit Other Object Access Events
href: audit-other-object-access-events.md
items:
- name: "Event 4671: An application attempted to access a blocked ordinal through the TBS."
href: event-4671.md
- name: "Event 4691 S: Indirect access to an object was requested."
href: event-4691.md
- name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded."
href: event-5148.md
- name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed."
href: event-5149.md
- name: "Event 4698 S: A scheduled task was created."
href: event-4698.md
- name: "Event 4699 S: A scheduled task was deleted."
href: event-4699.md
- name: "Event 4700 S: A scheduled task was enabled."
href: event-4700.md
- name: "Event 4701 S: A scheduled task was disabled."
href: event-4701.md
- name: "Event 4702 S: A scheduled task was updated."
href: event-4702.md
- name: "Event 5888 S: An object in the COM+ Catalog was modified."
href: event-5888.md
- name: "Event 5889 S: An object was deleted from the COM+ Catalog."
href: event-5889.md
- name: "Event 5890 S: An object was added to the COM+ Catalog."
href: event-5890.md
- name: Audit Registry
href: audit-registry.md
items:
- name: "Event 4663 S: An attempt was made to access an object."
href: event-4663.md
- name: "Event 4656 S, F: A handle to an object was requested."
href: event-4656.md
- name: "Event 4658 S: The handle to an object was closed."
href: event-4658.md
- name: "Event 4660 S: An object was deleted."
href: event-4660.md
- name: "Event 4657 S: A registry value was modified."
href: event-4657.md
- name: "Event 5039: A registry key was virtualized."
href: event-5039.md
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: Audit Removable Storage
href: audit-removable-storage.md
- name: Audit SAM
href: audit-sam.md
items:
- name: "Event 4661 S, F: A handle to an object was requested."
href: event-4661.md
- name: Audit Central Access Policy Staging
href: audit-central-access-policy-staging.md
items:
- name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy."
href: event-4818.md
- name: Audit Audit Policy Change
href: audit-audit-policy-change.md
items:
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: "Event 4715 S: The audit policy, SACL, on an object was changed."
href: event-4715.md
- name: "Event 4719 S: System audit policy was changed."
href: event-4719.md
- name: "Event 4817 S: Auditing settings on object were changed."
href: event-4817.md
- name: "Event 4902 S: The Per-user audit policy table was created."
href: event-4902.md
- name: "Event 4906 S: The CrashOnAuditFail value has changed."
href: event-4906.md
- name: "Event 4907 S: Auditing settings on object were changed."
href: event-4907.md
- name: "Event 4908 S: Special Groups Logon table modified."
href: event-4908.md
- name: "Event 4912 S: Per User Audit Policy was changed."
href: event-4912.md
- name: "Event 4904 S: An attempt was made to register a security event source."
href: event-4904.md
- name: "Event 4905 S: An attempt was made to unregister a security event source."
href: event-4905.md
- name: Audit Authentication Policy Change
href: audit-authentication-policy-change.md
items:
- name: "Event 4706 S: A new trust was created to a domain."
href: event-4706.md
- name: "Event 4707 S: A trust to a domain was removed."
href: event-4707.md
- name: "Event 4716 S: Trusted domain information was modified."
href: event-4716.md
- name: "Event 4713 S: Kerberos policy was changed."
href: event-4713.md
- name: "Event 4717 S: System security access was granted to an account."
href: event-4717.md
- name: "Event 4718 S: System security access was removed from an account."
href: event-4718.md
- name: "Event 4739 S: Domain Policy was changed."
href: event-4739.md
- name: "Event 4864 S: A namespace collision was detected."
href: event-4864.md
- name: "Event 4865 S: A trusted forest information entry was added."
href: event-4865.md
- name: "Event 4866 S: A trusted forest information entry was removed."
href: event-4866.md
- name: "Event 4867 S: A trusted forest information entry was modified."
href: event-4867.md
- name: Audit Authorization Policy Change
href: audit-authorization-policy-change.md
items:
- name: "Event 4703 S: A user right was adjusted."
href: event-4703.md
- name: "Event 4704 S: A user right was assigned."
href: event-4704.md
- name: "Event 4705 S: A user right was removed."
href: event-4705.md
- name: "Event 4670 S: Permissions on an object were changed."
href: event-4670.md
- name: "Event 4911 S: Resource attributes of the object were changed."
href: event-4911.md
- name: "Event 4913 S: Central Access Policy on the object was changed."
href: event-4913.md
- name: Audit Filtering Platform Policy Change
href: audit-filtering-platform-policy-change.md
- name: Audit MPSSVC Rule-Level Policy Change
href: audit-mpssvc-rule-level-policy-change.md
items:
- name: "Event 4944 S: The following policy was active when the Windows Firewall started."
href: event-4944.md
- name: "Event 4945 S: A rule was listed when the Windows Firewall started."
href: event-4945.md
- name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added."
href: event-4946.md
- name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified."
href: event-4947.md
- name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted."
href: event-4948.md
- name: "Event 4949 S: Windows Firewall settings were restored to the default values."
href: event-4949.md
- name: "Event 4950 S: A Windows Firewall setting has changed."
href: event-4950.md
- name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall."
href: event-4951.md
- name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced."
href: event-4952.md
- name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed."
href: event-4953.md
- name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied."
href: event-4954.md
- name: "Event 4956 S: Windows Firewall has changed the active profile."
href: event-4956.md
- name: "Event 4957 F: Windows Firewall did not apply the following rule."
href: event-4957.md
- name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer."
href: event-4958.md
- name: Audit Other Policy Change Events
href: audit-other-policy-change-events.md
items:
- name: "Event 4714 S: Encrypted data recovery policy was changed."
href: event-4714.md
- name: "Event 4819 S: Central Access Policies on the machine have been changed."
href: event-4819.md
- name: "Event 4826 S: Boot Configuration Data loaded."
href: event-4826.md
- name: "Event 4909: The local policy settings for the TBS were changed."
href: event-4909.md
- name: "Event 4910: The group policy settings for the TBS were changed."
href: event-4910.md
- name: "Event 5063 S, F: A cryptographic provider operation was attempted."
href: event-5063.md
- name: "Event 5064 S, F: A cryptographic context operation was attempted."
href: event-5064.md
- name: "Event 5065 S, F: A cryptographic context modification was attempted."
href: event-5065.md
- name: "Event 5066 S, F: A cryptographic function operation was attempted."
href: event-5066.md
- name: "Event 5067 S, F: A cryptographic function modification was attempted."
href: event-5067.md
- name: "Event 5068 S, F: A cryptographic function provider operation was attempted."
href: event-5068.md
- name: "Event 5069 S, F: A cryptographic function property operation was attempted."
href: event-5069.md
- name: "Event 5070 S, F: A cryptographic function property modification was attempted."
href: event-5070.md
- name: "Event 5447 S: A Windows Filtering Platform filter has been changed."
href: event-5447.md
- name: "Event 6144 S: Security policy in the group policy objects has been applied successfully."
href: event-6144.md
- name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects."
href: event-6145.md
- name: Audit Sensitive Privilege Use
href: audit-sensitive-privilege-use.md
items:
- name: "Event 4673 S, F: A privileged service was called."
href: event-4673.md
- name: "Event 4674 S, F: An operation was attempted on a privileged object."
href: event-4674.md
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: Audit Non Sensitive Privilege Use
href: audit-non-sensitive-privilege-use.md
items:
- name: "Event 4673 S, F: A privileged service was called."
href: event-4673.md
- name: "Event 4674 S, F: An operation was attempted on a privileged object."
href: event-4674.md
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: Audit Other Privilege Use Events
href: audit-other-privilege-use-events.md
items:
- name: "Event 4985 S: The state of a transaction has changed."
href: event-4985.md
- name: Audit IPsec Driver
href: audit-ipsec-driver.md
- name: Audit Other System Events
href: audit-other-system-events.md
items:
- name: "Event 5024 S: The Windows Firewall Service has started successfully."
href: event-5024.md
- name: "Event 5025 S: The Windows Firewall Service has been stopped."
href: event-5025.md
- name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy."
href: event-5027.md
- name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy."
href: event-5028.md
- name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy."
href: event-5029.md
- name: "Event 5030 F: The Windows Firewall Service failed to start."
href: event-5030.md
- name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network."
href: event-5032.md
- name: "Event 5033 S: The Windows Firewall Driver has started successfully."
href: event-5033.md
- name: "Event 5034 S: The Windows Firewall Driver was stopped."
href: event-5034.md
- name: "Event 5035 F: The Windows Firewall Driver failed to start."
href: event-5035.md
- name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating."
href: event-5037.md
- name: "Event 5058 S, F: Key file operation."
href: event-5058.md
- name: "Event 5059 S, F: Key migration operation."
href: event-5059.md
- name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content."
href: event-6400.md
- name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded."
href: event-6401.md
- name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted."
href: event-6402.md
- name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client."
href: event-6403.md
- name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate."
href: event-6404.md
- name: "Event 6405: BranchCache: %2 instances of event id %1 occurred."
href: event-6405.md
- name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2."
href: event-6406.md
- name: "Event 6407: 1%."
href: event-6407.md
- name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2."
href: event-6408.md
- name: "Event 6409: BranchCache: A service connection point object could not be parsed."
href: event-6409.md
- name: Audit Security State Change
href: audit-security-state-change.md
items:
- name: "Event 4608 S: Windows is starting up."
href: event-4608.md
- name: "Event 4616 S: The system time was changed."
href: event-4616.md
- name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail."
href: event-4621.md
- name: Audit Security System Extension
href: audit-security-system-extension.md
items:
- name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority."
href: event-4610.md
- name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority."
href: event-4611.md
- name: "Event 4614 S: A notification package has been loaded by the Security Account Manager."
href: event-4614.md
- name: "Event 4622 S: A security package has been loaded by the Local Security Authority."
href: event-4622.md
- name: "Event 4697 S: A service was installed in the system."
href: event-4697.md
- name: Audit System Integrity
href: audit-system-integrity.md
items:
- name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits."
href: event-4612.md
- name: "Event 4615 S: Invalid use of LPC port."
href: event-4615.md
- name: "Event 4618 S: A monitored security event pattern has occurred."
href: event-4618.md
- name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message."
href: event-4816.md
- name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid."
href: event-5038.md
- name: "Event 5056 S: A cryptographic self-test was performed."
href: event-5056.md
- name: "Event 5062 S: A kernel-mode cryptographic self-test was performed."
href: event-5062.md
- name: "Event 5057 F: A cryptographic primitive operation failed."
href: event-5057.md
- name: "Event 5060 F: Verification operation failed."
href: event-5060.md
- name: "Event 5061 S, F: Cryptographic operation."
href: event-5061.md
- name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid."
href: event-6281.md
- name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process."
href: event-6410.md
- name: Other Events
href: other-events.md
items:
- name: "Event 1100 S: The event logging service has shut down."
href: event-1100.md
- name: "Event 1102 S: The audit log was cleared."
href: event-1102.md
- name: "Event 1104 S: The security log is now full."
href: event-1104.md
- name: "Event 1105 S: Event log automatic backup."
href: event-1105.md
- name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1."
href: event-1108.md
- name: "Appendix A: Security monitoring recommendations for many audit events"
href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md
- name: Registry (Global Object Access Auditing)
href: registry-global-object-access-auditing.md
- name: File System (Global Object Access Auditing)
href: file-system-global-object-access-auditing.md
- name: Windows security
href: /windows/security/

174
windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
View File

@ -1,174 +0,0 @@
---
title: Advanced security audit policy settings
description: This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.
ms.assetid: 93b28b92-796f-4036-a53b-8b9e80f9f171
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/06/2021
---
# Advanced security audit policy settings (Windows 10)
This reference for IT professionals provides information about:
- The advanced audit policy settings available in Windows
- The audit events that these settings generate.
The security audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:
- A group administrator has modified settings or data on servers that contain finance information.
- An employee within a defined group has accessed an important file.
- The correct system access control list (SACL) - as a verifiable safeguard against undetected access - is applied to either of the following:
- every file and folder
- registry key on a computer
- file share.
You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.
These advanced audit policy settings allow you to select only the behaviors that you want to monitor. You can exclude audit results for the following types of behaviors:
- That are of little or no concern to you
- That create an excessive number of log entries.
In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity.
Audit policy settings under **Security Settings\\Advanced Audit Policy Configuration** are available in the following categories:
## Account Logon
Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories:
- [Audit Credential Validation](audit-credential-validation.md)
- [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
- [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
- [Audit Other Account Logon Events](audit-other-account-logon-events.md)
## Account Management
The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. This category includes the following subcategories:
- [Audit Application Group Management](audit-application-group-management.md)
- [Audit Computer Account Management](audit-computer-account-management.md)
- [Audit Distribution Group Management](audit-distribution-group-management.md)
- [Audit Other Account Management Events](audit-other-account-management-events.md)
- [Audit Security Group Management](audit-security-group-management.md)
- [Audit User Account Management](audit-user-account-management.md)
## Detailed Tracking
Detailed Tracking security policy settings and audit events can be used for the following purposes:
- To monitor the activities of individual applications and users on that computer
- To understand how a computer is being used.
This category includes the following subcategories:
- [Audit DPAPI Activity](audit-dpapi-activity.md)
- [Audit PNP activity](audit-pnp-activity.md)
- [Audit Process Creation](audit-process-creation.md)
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
- [Audit Token Right Adjusted](audit-token-right-adjusted.md)
## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
- [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
- [Audit Directory Service Access](audit-directory-service-access.md)
- [Audit Directory Service Changes](audit-directory-service-changes.md)
- [Audit Directory Service Replication](audit-directory-service-replication.md)
## Logon/Logoff
Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. This category includes the following subcategories:
- [Audit Account Lockout](audit-account-lockout.md)
- [Audit User/Device Claims](audit-user-device-claims.md)
- [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
- [Audit Group Membership](audit-group-membership.md)
- [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
- [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
- [Audit Logoff](audit-logoff.md)
- [Audit Logon](audit-logon.md)
- [Audit Network Policy Server](audit-network-policy-server.md)
- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
- [Audit Special Logon](audit-special-logon.md)
## Object Access
Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
This category includes the following subcategories:
- [Audit Application Generated](audit-application-generated.md)
- [Audit Certification Services](audit-certification-services.md)
- [Audit Detailed File Share](audit-detailed-file-share.md)
- [Audit File Share](audit-file-share.md)
- [Audit File System](audit-file-system.md)
- [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
- [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
- [Audit Handle Manipulation](audit-handle-manipulation.md)
- [Audit Kernel Object](audit-kernel-object.md)
- [Audit Other Object Access Events](audit-other-object-access-events.md)
- [Audit Registry](audit-registry.md)
- [Audit Removable Storage](audit-removable-storage.md)
- [Audit SAM](audit-sam.md)
- [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
## Policy Change
Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes (or its attempts) to these policies is an important aspect of security management for a network. This category includes the following subcategories:
- [Audit Audit Policy Change](audit-audit-policy-change.md)
- [Audit Authentication Policy Change](audit-authentication-policy-change.md)
- [Audit Authorization Policy Change](audit-authorization-policy-change.md)
- [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
- [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
- [Audit Other Policy Change Events](audit-other-policy-change-events.md)
## Privilege Use
Permissions on a network are granted for users or computers to complete defined tasks. Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. This category includes the following subcategories:
- [Audit Non-Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
- [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
- [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
## System
System security policy settings and audit events allow you to track the following types of system-level changes to a computer:
- Not included in other categories
- Have potential security implications.
This category includes the following subcategories:
- [Audit IPsec Driver](audit-ipsec-driver.md)
- [Audit Other System Events](audit-other-system-events.md)
- [Audit Security State Change](audit-security-state-change.md)
- [Audit Security System Extension](audit-security-system-extension.md)
- [Audit System Integrity](audit-system-integrity.md)
## Global Object Access Auditing
Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. The specified SACL is then automatically applied to every object of that type.
Auditors can prove that every resource in the system is protected by an audit policy. They can do this task by viewing the contents of the Global Object Access Auditing policy settings. For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.
Resource SACLs are also useful for diagnostic scenarios. For example, administrators quickly identify which object in a system is denying a user access by:
- Setting the Global Object Access Auditing policy to log all the activities for a specific user
- Enabling the policy to track "Access denied" events for the file system or registry can help
> [!NOTE]
> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.
This category includes the following subcategories:
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
## Related topics
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)

175
windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml
View File

@ -1,175 +0,0 @@
### YamlMime:FAQ
metadata:
title: Advanced security auditing FAQ
description: This article lists common questions and answers about understanding, deploying, and managing security audit policies.
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.topic: faq
ms.date: 05/24/2022
title: Advanced security auditing FAQ
summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
sections:
- name: Ignored
questions:
- question: |
What is Windows security auditing and why might I want to use it?
answer: |
Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, security auditing is the features and services for an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
- question: |
What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?
answer: |
The basic security audit policy settings in **Security Settings\\Local Policies\\Audit Policy** and the advanced security audit policy settings in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** appear to overlap, but they're recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you're editing the effective audit policy. Changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are several other differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under **Security Settings\\Local Policies\\Audit Policy** and settings under **Advanced Audit Policy Configuration**. The settings available in **Security Settings\\Advanced Audit Policy
Configuration** address similar issues as the nine basic settings in **Local Policies\\Audit Policy**, but they allow administrators to be more selective in the number and types of events to audit. For example, the basic audit policy provides a single setting for account sign-in, and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking.
In addition, if you enable success auditing for the basic **Audit account logon events** setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.
The nine basic settings under **Security Settings\\Local Policies\\Audit Policy** and the advanced audit policy settings are available in all supported versions of Windows.
- question: |
What is the interaction between basic audit policy settings and advanced audit policy settings?
answer: |
Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings.
Editing and applying the advanced audit policy settings in Local Security Policy modifies the local group policy object (GPO). If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in Auditpol.exe. Both types of policies can be edited and applied by using domain GPOs, and these settings will override any conflicting local audit policy settings. Because the basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired, or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied.
> [!Important]
> Whether you apply advanced audit policies by using group policy or by using logon scripts, don't use both the basic audit policy settings under **Local Policies\\Audit Policy** and the advanced settings under **Security Settings\\Advanced Audit Policy Configuration**. Using both advanced and basic audit policy settings can cause unexpected results in audit reporting.
If you use Advanced Audit Policy Configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the **Audit: Force audit policy subcategory settings to override audit policy category settings** policy setting under **Local Policies\\Security Options**. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored.
- question: |
How are audit settings merged by group policy?
answer: |
By default, policy options that are set in GPOs and linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a lower level.
For example, you might use a domain GPO to assign an organization-wide group of audit settings, but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing.
The rules that govern how group policy settings are applied propagate to the subcategory level of audit policy settings. This coverage means that audit policy settings configured in different GPOs will be merged if no policy settings configured at a lower level exist. The following table illustrates this behavior.
| Auditing subcategory | Setting configured in an OU GPO (higher priority) | Setting configured in a domain GPO (lower priority) | Resulting policy for the target computer |
| - | - | - | -|
| Detailed File Share Auditing | Success | Failure | Success |
| Process Creation Auditing | Disabled | Success | Disabled |
| Logon Auditing | Failure | Success | Failure |
- question: |
What is the difference between an object DACL and an object SACL?
answer: |
All objects in Active Directory Domain Services (AD DS), and all securable objects on a local computer or on the network, have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object's security descriptor can contain two types of ACLs:
- A discretionary access control list (DACL) that identifies the users and groups who are allowed or denied access
- A system access control list (SACL) that controls how access is audited
The access control model that is used in Windows is administered at the object level by setting different levels of access, or permissions, to objects. If permissions are configured for an object, its security descriptor contains a DACL with security identifiers (SIDs) for the users and groups that are allowed or denied access.
If auditing is configured for the object, its security descriptor also contains a SACL that controls how the security subsystem audits attempts to access the object. However, auditing isn't configured entirely unless a SACL has been configured for an object and a corresponding **Object Access** audit policy setting has been configured and applied.
- question: |
Why are audit policies applied on a per-computer basis rather than per user?
answer: |
In security auditing in Windows, the computer, objects on the computer, and related resources are the primary recipients of actions by clients including applications, other computers, and users. In a security breach, malicious users can use alternate credentials to hide their identity, or malicious applications can impersonate legitimate users to perform undesired tasks. Therefore, the most consistent way to apply an audit policy is to focus on the computer and the objects and resources on that computer.
Audit policy capabilities can vary between computers running different versions of Windows. The best way to make sure that the audit policy is applied correctly is to base these settings on the computer instead of the user.
However, when you want audit settings to apply only to specified groups of users, you can accomplish this customization by configuring SACLs on the relevant objects to enable auditing for a security group that contains only the users you specify. For example, you can configure a SACL for a folder called Payroll Data on Accounting Server 1. This configuration results in an audit of attempts by members of the Payroll Processors OU to delete objects from this folder. The **Object Access\\Audit File System** audit policy setting applies to Accounting Server 1. Because it requires a corresponding resource SACL, only actions by members of the Payroll Processors OU on the Payroll Data folder generates audit events.
- question: |
Are there any differences in auditing functionality between versions of Windows?
answer: |
No. Basic and advanced audit policy settings are available in all supported versions of Windows. They can be configured and applied by local or domain group policy settings.
- question: |
What is the difference between success and failure events? Is something wrong if I get a failure audit?
answer: |
A success audit event is triggered when a defined action, such as accessing a file share, is completed successfully.
A failure audit event is triggered when a defined action, such as a user sign-in, isn't completed successfully.
The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure Audit Logon events, a failure event may mean that a user mistyped the password.
- question: |
How can I set an audit policy that affects all objects on a computer?
answer: |
System administrators and auditors increasingly want to verify that an auditing policy is applied to all objects on a system. This requirement has been difficult to accomplish because the system access control lists (SACLs) that govern auditing are applied on a per-object basis. Thus, to verify that an audit policy has been applied to all objects, you would have to check every object to be sure that no changes have been made—even temporarily to a single SACL.
Security auditing allows administrators to define global object access auditing policies for the entire file system or for the registry on a computer. The specified SACL is then automatically applied to every object of that type. This application of SACL can be useful for verifying that all critical files, folders, and registry settings on a computer are protected. It's also useful to identify when an issue with a system resource occurs. If a file or folder SACL and a global object access auditing policy are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the global object access auditing policy. This behavior also applies to a single registry setting SACL and a global object access auditing policy. This resultant SACL from the combination means that an audit event is generated if an activity matches either the file or folder SACL or the global object access auditing policy.
- question: |
How do I figure out why someone was able to access a resource?
answer: |
Often it isn't enough to know simply that an object such as a file or folder was accessed. You may also want to know why the user was able to access this resource. You can obtain this forensic data by configuring the **Audit Handle Manipulation** setting with the **Audit File System** or with the **Audit Registry** audit setting.
- question: |
How do I know when changes are made to access control settings, by whom, and what the changes were?
answer: |
To track access control changes, you need to enable the following settings, which track changes to DACLs:
- **Audit File System** subcategory: Enable for success, failure, or success and failure
- **Audit Authorization Policy Change** setting: Enable for success, failure, or success and failure
- A SACL with **Write** and **Take ownership** permissions: Apply to the object that you want to monitor
- question: |
How can I roll back security audit policies from the advanced audit policy to the basic audit policy?
answer: |
Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to **Not configured**, you need to complete the following steps to restore the original basic security audit policy settings:
1. Set all Advanced Audit Policy subcategories to **Not configured**.
2. Delete all audit.csv files from the `%SYSVOL%` folder on the domain controller.
3. Reconfigure and apply the basic audit policy settings.
Unless you complete all of these steps, the basic audit policy settings won't be restored.
- question: |
How can I monitor if changes are made to audit policy settings?
answer: |
Changes to security audit policies are critical security events. You can use the **Audit Audit Policy Change** setting to determine if the operating system generates audit events when the following types of activities take place:
- Permissions and audit settings on the audit policy object are changed
- The system audit policy is changed
- Security event sources are registered or unregistered
- Per-user audit settings are changed
- The value of **CrashOnAuditFail** is modified
- Audit settings on a file or registry key are changed
- A Special Groups list is changed
- question: |
How can I minimize the number of events that are generated?
answer: |
Finding the right balance between auditing enough network and computer activity and auditing too little network and computer activity can be challenging. You can achieve this balance by identifying the most important resources, critical activities, and users or groups of users. Then design a security audit policy that targets these resources, activities, and users. Useful guidelines and recommendations for developing an effective security auditing strategy can be found in [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md).
- question: |
What are the best tools to model and manage audit policies?
answer: |
The integration of advanced audit policy settings with domain is designed to simplify the management and implementation of security audit policies in an organization's network. As such, tools used to plan and deploy group policy objects for a domain can also be used to plan and deploy security audit policies.
On an individual computer, the `Auditpol` command-line tool can be used to complete many important audit policy-related management tasks.
There are also other computer management products, such as the Audit Collection Services in System Center Operations Manager, which can be used to collect and filter event data. For more information, see [How to install an Audit Collection Services (ACS) collector and database](/system-center/scom/deploy-install-acs).
- question: |
Where can I find information about all the possible events that I might receive?
answer: |
Users who examine the security event log for the first time can be a bit overwhelmed. The number of audit events that are stored there can quickly number in the thousands. The structured information that's included for each audit event can also be confusing. For more information about these events, and the settings used to generate them, see the following resources:
- [Windows security audit events](https://www.microsoft.com/download/details.aspx?id=50034)
- [Windows 10 and Windows Server 2016 security auditing and monitoring reference](https://www.microsoft.com/download/details.aspx?id=52630)
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
- question: |
Where can I find more detailed information?
answer: |
To learn more about security audit policies, see the following resources:
- [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md)
- [Windows 8 and Windows Server 2012 security event details](https://www.microsoft.com/download/details.aspx?id=35753)
- [Security audit events for Windows 7 and Windows Server 2008 R2](https://www.microsoft.com/download/details.aspx?id=21561)

30
windows/security/threat-protection/auditing/advanced-security-auditing.md
View File

@ -1,30 +0,0 @@
---
title: Advanced security audit policies
description: Advanced security audit policy settings might appear to overlap with basic policies, but they're recorded and applied differently. Learn more about them here.
ms.assetid: 6FE8AC10-F48E-4BBF-979B-43A5DFDC5DFC
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.topic: reference
ms.date: 09/6/2021
---
# Advanced security audit policies
Advanced security audit policy settings are found in **Security Settings\\Advanced Audit Policy Configuration\\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently.
When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in, you're editing the effective audit policy, so changes made to basic audit policy settings appear exactly as configured in Auditpol.exe. In Windows 7 and later, advanced security audit policies can be controlled by using Group Policy.
## In this section
| Article | Description |
| - | - |
| [Planning and deploying advanced security audit policies](planning-and-deploying-advanced-security-audit-policies.md) | This article for IT professionals explains the options that security policy planners must consider, and the tasks that they must complete, to deploy an effective security audit policy in a network that includes advanced security audit policies |
| [Advanced security auditing FAQ](advanced-security-auditing-faq.yml) | This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies.
| [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md) | This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
| [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) | This reference for IT professionals provides information about the advanced audit policy settings in Windows and the audit events that they generate.

30
windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
View File

@ -1,30 +0,0 @@
---
title: Appendix A, Security monitoring recommendations for many audit events
description: Learn about recommendations for the type of monitoring required for certain classes of security audit events.
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: reference
---
# Appendix A: Security monitoring recommendations for many audit events
This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account allowlist**: You might have a specific allowlist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the allowlist of accounts. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |

71
windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
View File

@ -1,71 +0,0 @@
---
title: Apply a basic audit policy on a file or folder
description: Apply audit policies to individual files and folders on your computer by setting the permission type to record access attempts in the security log.
ms.assetid: 565E7249-5CD0-4B2E-B2C0-B3A0793A51E2
ms.reviewer:
ms.author: vinpa
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: low
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.collection:
- highpri
- tier3
ms.topic: reference
ms.date: 09/06/2021
---
# Apply a basic audit policy on a file or folder
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
**To apply or modify auditing policy settings for a local file or folder**
1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
2. Select **Advanced**.
3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
4. Do one of the following tasks:
- To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
- To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
- To view or change auditing for an existing group or user, select its name, and then select **Edit.**
5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
- To audit successful events, select **Success.**
- To audit failure events, select **Fail.**
- To audit all events, select **All.**
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These objects include:
- **This folder only**
- **This folder, subfolders and files**
- **This folder and subfolders**
- **This folder and files**
- **Subfolders and files only**
- **Subfolders only**
- **Files only**
7. By default, the selected **Basic Permissions** to audit are the following:
- **Read and execute**
- **List folder contents**
- **Read**
- Additionally, with your selected audit combination, you can select any combination of the following permissions:
- **Full control**
- **Modify**
- **Write**
> [!IMPORTANT]
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
 
## More considerations
- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
- You can set up file and folder auditing only on NTFS drives.
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
 
 

38
windows/security/threat-protection/auditing/audit-account-lockout.md
View File

@ -1,38 +0,0 @@
---
title: Audit Account Lockout
description: The policy setting, Audit Account Lockout, enables you to audit security events generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Account Lockout
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
**Event volume**: Low.
This subcategory failure logon attempts, when account was already locked out.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or for local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
**Events List:**
- [4625](event-4625.md)(F): An account failed to log on.

37
windows/security/threat-protection/auditing/audit-application-generated.md
View File

@ -1,37 +0,0 @@
---
title: Audit Application Generated
description: The policy setting, Audit Application Generated, determines if audit events are generated when applications attempt to use the Windows Auditing APIs.
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Application Generated
Audit Application Generated generates events for actions related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)).
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------|
| Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
| Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) in your environment and you need to monitor events related to Authorization Manager [applications](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770563(v=ws.11)), enable this subcategory. |
**Events List:**
- 4665: An attempt was made to create an application client context.
- 4666: An application attempted an operation.
- 4667: An application client context was deleted.
- 4668: An application was initialized.

49
windows/security/threat-protection/auditing/audit-application-group-management.md
View File

@ -1,49 +0,0 @@
---
title: Audit Application Group Management
description: The policy setting, Audit Application Group Management, determines if audit events are generated when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Application Group Management
Audit Application Group Management generates events for actions related to [application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)), such as group creation, modification, addition or removal of group member and some other actions.
[Application groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771579(v=ws.11)) are used by [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)).
Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc726036(v=ws.11)) is very rarely in use and it is deprecated starting from Windows Server 2012.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
- 4783(S): A basic application group was created.
- 4784(S): A basic application group was changed.
- 4785(S): A member was added to a basic application group.
- 4786(S): A member was removed from a basic application group.
- 4787(S): A non-member was added to a basic application group.
- 4788(S): A non-member was removed from a basic application group.
- 4789(S): A basic application group was deleted.
- 4790(S): An LDAP query group was created.
- 4791(S): An LDAP query group was changed.
- 4792(S): An LDAP query group was deleted.

80
windows/security/threat-protection/auditing/audit-audit-policy-change.md
View File

@ -1,80 +0,0 @@
---
title: Audit Audit Policy Change
description: The Advanced Security Audit policy setting, Audit Audit Policy Change, determines if audit events are generated when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Audit Policy Change
Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Changes to audit policy that are audited include:
- Changing permissions and audit settings on the audit policy object (by using “auditpol /set /sd” command).
- Changing the system audit policy.
- Registering and unregistering security event sources.
- Changing per-user audit settings.
- Changing the value of CrashOnAuditFail.
- Changing audit settings on an object (for example, modifying the system access control list ([SACL](/windows/win32/secauthz/access-control-lists)) for a file or registry key).
> **Note**&nbsp;&nbsp;[SACL](/windows/win32/secauthz/access-control-lists) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
- Changing anything in the Special Groups list.
The following events will be enabled with Success auditing in this subcategory:
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
- [4907](event-4907.md)(S): Auditing settings on object were changed.
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
**Events List:**
- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
- [4719](event-4719.md)(S): System audit policy was changed.
- [4817](event-4817.md)(S): Auditing settings on object were changed.
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
- [4907](event-4907.md)(S): Auditing settings on object were changed.
- [4908](event-4908.md)(S): Special Groups Logon table modified.
- [4912](event-4912.md)(S): Per User Audit Policy was changed.
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.

76
windows/security/threat-protection/auditing/audit-authentication-policy-change.md
View File

@ -1,76 +0,0 @@
---
title: Audit Authentication Policy Change
description: The Advanced Security Audit policy setting, Audit Authentication Policy Change, determines if audit events are generated when authentication policy is changed.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Authentication Policy Change
Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
- Creation, modification, and removal of forest and domain trusts.
- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
- When any of the following user logon rights is granted to a user or group:
- Access this computer from the network
- Allow logon locally
- Allow logon through Remote Desktop
- Logon as a batch job
- Logon as a service
- Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4670](event-4670.md)(S): Permissions on an object were changed
- [4706](event-4706.md)(S): A new trust was created to a domain.
- [4707](event-4707.md)(S): A trust to a domain was removed.
- [4716](event-4716.md)(S): Trusted domain information was modified.
- [4713](event-4713.md)(S): Kerberos policy was changed.
- [4717](event-4717.md)(S): System security access was granted to an account.
- [4718](event-4718.md)(S): System security access was removed from an account.
- [4739](event-4739.md)(S): Domain Policy was changed.
- [4864](event-4864.md)(S): A namespace collision was detected.
- [4865](event-4865.md)(S): A trusted forest information entry was added.
- [4866](event-4866.md)(S): A trusted forest information entry was removed.
- [4867](event-4867.md)(S): A trusted forest information entry was modified.

42
windows/security/threat-protection/auditing/audit-authorization-policy-change.md
View File

@ -1,42 +0,0 @@
---
title: Audit Authorization Policy Change
description: The policy setting, Audit Authorization Policy Change, determines if audit events are generated when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Authorization Policy Change
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
**Event volume**: Medium to High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is Microsoft Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4703](event-4703.md)(S): A user right was adjusted.
- [4704](event-4704.md)(S): A user right was assigned.
- [4705](event-4705.md)(S): A user right was removed.
- [4670](event-4670.md)(S): Permissions on an object were changed.
- [4911](event-4911.md)(S): Resource attributes of the object were changed.
- [4913](event-4913.md)(S): Central Access Policy on the object was changed.

39
windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
View File

@ -1,39 +0,0 @@
---
title: Audit Central Access Policy Staging
description: The Advanced Security Audit policy setting, Audit Central Access Policy Staging, determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Central Access Policy Staging
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
- Failure audits, when configured, record access attempts when:
- The current central access policy does not grant access, but the proposed policy grants access.
- A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](/windows-server/identity/solution-guides/scenario--central-access-policy).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.

117
windows/security/threat-protection/auditing/audit-certification-services.md
View File

@ -1,117 +0,0 @@
---
title: Audit Certification Services
description: The policy setting, Audit Certification Services, decides if events are generated when Active Directory Certificate Services (ADA CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Certification Services
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
- AD CS starts, shuts down, is backed up, or is restored.
- Certificate revocation list (CRL)-related tasks are performed.
- Certificates are requested, issued, or revoked.
- Certificate manager settings for AD CS are changed.
- The configuration and properties of the certification authority (CA) are changed.
- AD CS templates are modified.
- Certificates are imported.
- A CA certificate is published to Active Directory Domain Services.
- Security permissions for AD CS role services are modified.
- Keys are archived, imported, or retrieved.
- The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
**Event volume: Low to medium on servers that provide AD CS role services.**
Role-specific subcategories are outside the scope of this document.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Workstation | No | No | No | No | [Active Directory Certificate Services](/windows/deployment/deploy-whats-new) (AD CS) role cannot be installed on client OS. |
- 4868: The certificate manager denied a pending certificate request.
- 4869: Certificate Services received a resubmitted certificate request.
- 4870: Certificate Services revoked a certificate.
- 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
- 4872: Certificate Services published the certificate revocation list (CRL).
- 4873: A certificate request extension changed.
- 4874: One or more certificate request attributes changed.
- 4875: Certificate Services received a request to shut down.
- 4876: Certificate Services backup started.
- 4877: Certificate Services backup completed.
- 4878: Certificate Services restore started.
- 4879: Certificate Services restore completed.
- 4880: Certificate Services started.
- 4881: Certificate Services stopped.
- 4882: The security permissions for Certificate Services changed.
- 4883: Certificate Services retrieved an archived key.
- 4884: Certificate Services imported a certificate into its database.
- 4885: The audit filter for Certificate Services changed.
- 4886: Certificate Services received a certificate request.
- 4887: Certificate Services approved a certificate request and issued a certificate.
- 4888: Certificate Services denied a certificate request.
- 4889: Certificate Services set the status of a certificate request to pending.
- 4890: The certificate manager settings for Certificate Services changed.
- 4891: A configuration entry changed in Certificate Services.
- 4892: A property of Certificate Services changed.
- 4893: Certificate Services archived a key.
- 4894: Certificate Services imported and archived a key.
- 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
- 4896: One or more rows have been deleted from the certificate database.
- 4897: Role separation enabled.
- 4898: Certificate Services loaded a template.

41
windows/security/threat-protection/auditing/audit-computer-account-management.md
View File

@ -1,41 +0,0 @@
---
title: Audit Computer Account Management
description: The policy setting, Audit Computer Account Management, determines if audit events are generated when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Computer Account Management
Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
**Event volume**: Low on domain controllers.
This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.<br>Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4741](event-4741.md)(S): A computer account was created.
- [4742](event-4742.md)(S): A computer account was changed.
- [4743](event-4743.md)(S): A computer account was deleted.

53
windows/security/threat-protection/auditing/audit-credential-validation.md
View File

@ -1,53 +0,0 @@
---
title: Audit Credential Validation
description: The policy setting, Audit Credential Validation, determines if audit events are generated when user account logon request credentials are submitted.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.pagetype: security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: low
author: vinaypamnani-msft
ms.date: 09/06/2021
ms.topic: reference
---
# Audit Credential Validation
Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
- For domain accounts, the domain controller is authoritative.
- For local accounts, the local computer is authoritative.
**Event volume**:
- High on domain controllers.
- Low on member servers and workstations.
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. <br>IF We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.<br>We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
**Events List:**
- [4774](event-4774.md)(S, F): An account was mapped for logon.
- [4775](event-4775.md)(F): An account could not be mapped for logon.
- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.

Some files were not shown because too many files have changed in this diff Show More