- -
-
- **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.- -
-
- **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.- -
-
- **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD–joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
-
->[!IMPORTANT]
->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
-
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.- -
-
- **Figure 5. Connect to work or school configuration in Settings**
-
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.- -
-
- **Figure 6. Set up a work or school account**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.- -
-
- **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD–joined to the company's subscription.
-
-### Step 2: Pro edition activation
-
-> [!IMPORTANT]
-> If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
-> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-
--
-Figure 7a - Windows 10 Pro activation in Settings - -Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - -### Step 3: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - -
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 4: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
--
-
-**Figure 9 - Windows 10 Enterprise subscription in Settings**
-
-If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-> [!NOTE]
-> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
-> Name: Windows(R), Professional edition
-> Description: Windows(R) Operating System, RETAIL channel
-> Partial Product Key: 3V66T
+- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations.
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
-
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
-
-- The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later.
-- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
-
-- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
-
- -
- Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - -- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - -
-
- Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. - -
-
- Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory-joined:** - -1. Open a command prompt and type **dsregcmd /status**. -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined. - -**To determine the version of Windows 10:** - -At a command prompt, type: **winver** - -A popup window will display the Windows 10 version number and detailed OS build information. - -If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. - -### Delay in the activation of Enterprise License of Windows 10 - -This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). +Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). diff --git a/windows/deployment/images/before.png b/windows/deployment/images/before.png deleted file mode 100644 index 1a50878670..0000000000 Binary files a/windows/deployment/images/before.png and /dev/null differ diff --git a/windows/deployment/images/sa-mfa1.png b/windows/deployment/images/sa-mfa1.png deleted file mode 100644 index 045e5a7794..0000000000 Binary files a/windows/deployment/images/sa-mfa1.png and /dev/null differ diff --git a/windows/deployment/images/sa-mfa2.png b/windows/deployment/images/sa-mfa2.png deleted file mode 100644 index 1964a7b263..0000000000 Binary files a/windows/deployment/images/sa-mfa2.png and /dev/null differ diff --git a/windows/deployment/images/sa-mfa3.png b/windows/deployment/images/sa-mfa3.png deleted file mode 100644 index 8987eac97b..0000000000 Binary files a/windows/deployment/images/sa-mfa3.png and /dev/null differ diff --git a/windows/deployment/images/sa-pro-activation.png b/windows/deployment/images/sa-pro-activation.png deleted file mode 100644 index 4066c45dad..0000000000 Binary files a/windows/deployment/images/sa-pro-activation.png and /dev/null differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index 5da61c2f9a..a7dbbcc6f0 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -95,7 +95,7 @@ landingContent: url: /microsoftteams/faq-support-remote-workforce # Card (optional) - - title: Microsoft Learn + - title: Microsoft Learn training linkLists: - linkListType: learn links: diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index cbcb7c8acb..a865459e80 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -106,11 +106,12 @@ A list of all status updates posted in the selected timeframe will be displayed, - **Where do I find Windows release health?** After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**. -- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?** - No. While the content is similar, you may see more issues and technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis. + +- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?** + No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis. - **How often will content be updated?** - To ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have more details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment. + In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment. - **Can I share this content publicly or with other Windows customers?** Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly. diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index ef6be01503..bc3f4c1e0e 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -2,9 +2,9 @@ title: Deploy Windows client updates with Configuration Manager description: Deploy Windows client updates with Configuration Manager ms.prod: w10 -author: aczechowski +author: mestew ms.localizationpriority: medium -ms.author: aaroncz +ms.author: mstewart ms.reviewer: manager: dougeby ms.topic: article diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index c301863138..bc6e8a327e 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -1,11 +1,11 @@ --- title: Manually configuring devices for Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Manually configuring devices for Update Compliance ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 6db9d2bb84..31cc1b5b80 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -1,11 +1,11 @@ --- title: Configuring Microsoft Endpoint Manager devices for Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article @@ -21,62 +21,64 @@ ms.topic: article This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. -2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. -3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). +1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). + +> [!TIP] +> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured. ## Create a configuration profile Take the following steps to create a configuration profile that will set required policies for Update Compliance: 1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. -2. On the **Configuration profiles** view, select **Create a profile**. -3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". -4. For **Template name**, select **Custom**, and then press **Create**. -5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. -6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). +1. On the **Configuration profiles** view, select **Create a profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". +1. For **Template name**, select **Custom**, and then press **Create**. +1. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid). - 2. Add a setting for **Commercial ID** with the following values: + 1. Add a setting for **Commercial ID** with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* - 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: + 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). - 3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: + 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: - **Name**: Disable Telemetry opt-in interface - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` - **Data type**: Integer - **Value**: 1 - 4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: + 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: - **Name**: Allow device name in Diagnostic Data - **Description**: Allows device name in Diagnostic Data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 - 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: + 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: - **Name**: Allow Update Compliance Processing - **Description**: Opts device data into Update Compliance processing. Required to see data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 - 6. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: + 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: - **Name**: Allow commercial data pipeline - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` - **Data type**: Integer - **Value**: 1 -7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -8. Review and select **Create**. +1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +1. Review and select **Create**. ## Deploy the configuration script -The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 15c207cf56..dfc1c5cae2 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -1,7 +1,7 @@ --- title: Update Compliance Configuration Script ms.reviewer: -manager: dougeby +manager: aczechowski description: Downloading and using the Update Compliance Configuration Script ms.prod: w10 author: mestew diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 97771928db..34024f43cb 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -1,11 +1,11 @@ --- title: Delivery Optimization in Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article @@ -46,7 +46,7 @@ The table breaks down the number of bytes from each download source into specifi The download sources that could be included are: - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used) -- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an Configuration Manager Distribution Point for Express Updates. +- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or a Configuration Manager Distribution Point for Express Updates. [!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)] diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index aef454e5ea..17b63d9e79 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -1,11 +1,11 @@ --- title: Update Compliance - Feature Update Status report ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 3449a9e3ff..23d4fb68e8 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,10 +1,10 @@ --- title: Get started with Update Compliance -manager: dougeby +manager: aczechowski description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: - M365-analytics diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 14be646f48..0ed598274c 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,11 +1,11 @@ --- title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index a72b0bd9e9..680cfffa35 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,9 +1,9 @@ --- title: Update Compliance - Need Attention! report -manager: dougeby +manager: aczechowski description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.prod: w10 diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index 25616519e4..08423ff755 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -1,11 +1,11 @@ --- title: Privacy in Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: an overview of the Feature Update Status report ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md index c745e589a3..f45cd6f50d 100644 --- a/windows/deployment/update/update-compliance-safeguard-holds.md +++ b/windows/deployment/update/update-compliance-safeguard-holds.md @@ -1,11 +1,11 @@ --- title: Update Compliance - Safeguard Holds report ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Safeguard Holds report provides information about safeguard holds in your population. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index 80aca45d8a..2dc69aadd8 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -1,11 +1,11 @@ --- title: Update Compliance Schema - WaaSDeploymentStatus ms.reviewer: -manager: dougeby +manager: aczechowski description: WaaSDeploymentStatus schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md index a3029d3af7..30667a459e 100644 --- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -1,11 +1,11 @@ --- title: Update Compliance Schema - WaaSInsiderStatus ms.reviewer: -manager: dougeby +manager: aczechowski description: WaaSInsiderStatus schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md index 7691648ab9..b1cb215ae1 100644 --- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -1,11 +1,11 @@ --- title: Update Compliance Schema - WaaSUpdateStatus ms.reviewer: -manager: dougeby +manager: aczechowski description: WaaSUpdateStatus schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md index 585d9bb1a9..c38fe10c37 100644 --- a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md +++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md @@ -1,11 +1,11 @@ --- title: Update Compliance Schema - WUDOAggregatedStatus ms.reviewer: -manager: dougeby +manager: aczechowski description: WUDOAggregatedStatus schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md index a954e3329c..7635fd97e7 100644 --- a/windows/deployment/update/update-compliance-schema-wudostatus.md +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -1,11 +1,11 @@ --- title: Update Compliance Schema - WUDOStatus ms.reviewer: -manager: dougeby +manager: aczechowski description: WUDOStatus schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md index 872530b839..3f5325e847 100644 --- a/windows/deployment/update/update-compliance-schema.md +++ b/windows/deployment/update/update-compliance-schema.md @@ -1,11 +1,11 @@ --- title: Update Compliance Data Schema ms.reviewer: -manager: dougeby +manager: aczechowski description: an overview of Update Compliance data schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- @@ -21,7 +21,7 @@ The table below summarizes the different tables that are part of the Update Comp |Table |Category |Description | |--|--|--| -|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. | +|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. | |[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. | |[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. | |[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). | diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 9bec83ea8e..3fcd47f35f 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -1,11 +1,11 @@ --- title: Update Compliance - Security Update Status report ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Security Update Status section provides information about security updates across all devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 1181984ab9..717bfa6599 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -1,11 +1,11 @@ --- title: Using Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how to use Update Compliance to monitor your device's Windows updates. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article diff --git a/windows/deployment/update/update-compliance-v2-configuration-mem.md b/windows/deployment/update/update-compliance-v2-configuration-mem.md index 765128a9dc..2589190da8 100644 --- a/windows/deployment/update/update-compliance-v2-configuration-mem.md +++ b/windows/deployment/update/update-compliance-v2-configuration-mem.md @@ -24,8 +24,10 @@ ms.date: 08/24/2022 This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll. The configuration profile contains settings for all the Mobile Device Management (MDM) policies that must be configured. -2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. -3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md). +1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md). + +> [!TIP] +> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured. ## Create a configuration profile @@ -105,7 +107,7 @@ Create a configuration profile that will set the required policies for Update Co ## Deploy the configuration script -The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). +The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices. diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md index e1fccf14ec..cbdbab10e9 100644 --- a/windows/deployment/update/update-compliance-v2-help.md +++ b/windows/deployment/update/update-compliance-v2-help.md @@ -64,9 +64,9 @@ You can open support requests directly from the Azure portal. If the **Help + S Select the **Feedback** link in the upper right of any article to go to the Feedback section at the bottom. Feedback is integrated with GitHub Issues. For more information about this integration with GitHub Issues, see the [docs platform blog post](/teamblog/a-new-feedback-system-is-coming-to-docs). -:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section on a docs article."::: +:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section of a Microsoft Learn page."::: -To share docs feedback about the current article, select **This page**. A [GitHub account](https://github.com/join) is a prerequisite for providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body, but don't modify the document details section. Then select **Submit new issue** to file a new issue for the target article in the [Windows-ITPro-docs GitHub repository](https://github.com/MicrosoftDocs/windows-itpro-docs/issues). +To share feedback about the current article, select **This page**. A [GitHub account](https://github.com/join) is a prerequisite for providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body, but don't modify the document details section. Then select **Submit new issue** to file a new issue for the target article in the [Windows-ITPro-docs GitHub repository](https://github.com/MicrosoftDocs/windows-itpro-docs/issues). To see whether there's already feedback for this article, select **View all page feedback**. This action opens a GitHub issue query for this article. By default it displays both open and closed issues. Review any existing feedback before you submit a new issue. If you find a related issue, select the face icon to add a reaction, add a comment to the thread, or **Subscribe** to receive notifications. @@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil - [Product questions (using Microsoft Q&A)](/answers/products/) - [Support requests](#open-a-microsoft-support-case) for Update Compliance -To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. +To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors. ## Troubleshooting tips diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md index a43f01d033..46d0719b49 100644 --- a/windows/deployment/update/waas-restart.md +++ b/windows/deployment/update/waas-restart.md @@ -10,6 +10,7 @@ ms.topic: article ms.custom: - seo-marvel-apr2020 ms.collection: highpri +date: 09/22/2022 --- # Manage device restarts after updates @@ -18,11 +19,11 @@ ms.collection: highpri **Applies to** - Windows 10 - +- Windows 11 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) -You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. +You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both. ## Schedule update installation @@ -100,15 +101,27 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan ## Limit restart delays -After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14. +After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14. ## Control restart notifications -In Windows 10, version 1703, we have added settings to control restart notifications for users. +### Display options for update notifications + +Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values: + +**0** (default) - Use the default Windows Update notifications +**1** - Turn off all notifications, excluding restart warnings +**2** - Turn off all notifications, including restart warnings + +To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel). + +Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. + +To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours). ### Auto-restart notifications -Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. +Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703. To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it. @@ -198,10 +211,10 @@ There are three different registry combinations for controlling restart behavior ## Related articles -- [Update Windows 10 in the enterprise](index.md) +- [Update Windows in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) -- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md) -- [Configure BranchCache for Windows 10 updates](waas-branchcache.md) +- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md) +- [Configure BranchCache for Windows updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) - [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md) - [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 4604ac1c8e..cfe3f8800a 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -3,12 +3,12 @@ title: Manage additional Windows Update settings description: In this article, learn about additional settings to control the behavior of Windows Update. ms.prod: w10 ms.localizationpriority: medium -author: aczechowski -ms.author: aaroncz -manager: dougeby +author: mestew +ms.author: mstewart +manager: aaroncz ms.topic: article -ms.custom: seo-marvel-apr2020 ms.collection: highpri +date: 09/22/2022 --- # Manage additional Windows Update settings @@ -36,6 +36,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure | [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All | | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 | | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All | +| | [Windows Update notifications display organization name](#bkmk_display-name) *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered | >[!IMPORTANT] >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**. @@ -230,7 +231,7 @@ To do this, follow these steps: > [!NOTE] > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. -To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance. +To use Automatic Updates with a server that is running Windows Software Update Services (WSUS), see the [Deploying Microsoft Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services) guidance. When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again. @@ -246,3 +247,32 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ * WUStatusServer (REG_SZ) This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS). + +## Display organization name in Windows Update notifications + +When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11. + +The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways: +- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) +- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) +- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) + +To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry: + + - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations` + - **DWORD value name**: UsoDisableAADJAttribution + - **Value data:** 1 + +The following PowerShell script is provided as an example to you: +```powershell +$registryPath = "HKLM:\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations" +$Name = "UsoDisableAADJAttribution" +$value = "1" + +if (!(Test-Path $registryPath)) +{ + New-Item -Path $registryPath -Force | Out-Null +} + +New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null +``` diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index 1aa46d22c9..e5027dfc14 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -178,12 +178,14 @@ There are additional settings that affect the notifications. We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values: -**0** (default) – Use the default Windows Update notifications -**1** – Turn off all notifications, excluding restart warnings -**2** – Turn off all notifications, including restart warnings +**0** (default) - Use the default Windows Update notifications +**1** - Turn off all notifications, excluding restart warnings +**2** - Turn off all notifications, including restart warnings -> [!NOTE] -> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled. +Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled. + +> [!NOTE] +> Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. Still more options are available in **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates**. This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). We recommend using the default notifications. diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index 87590d77a7..187ec9c7c0 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -1,150 +1,165 @@ --- -title: Configure VDA for Windows 10/11 Subscription Activation +title: Configure VDA for Windows subscription activation +description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario. ms.reviewer: manager: dougeby ms.author: aaroncz author: aczechowski -description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario. ms.custom: seo-marvel-apr2020 -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium -ms.topic: article +ms.topic: how-to ms.collection: M365-modern-desktop +ms.date: 09/26/2022 --- -# Configure VDA for Windows 10/11 Subscription Activation +# Configure VDA for Windows subscription activation Applies to: + - Windows 10 - Windows 11 -This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. +This document describes how to configure virtual machines (VMs) to enable [Windows subscription activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops. Deployment instructions are provided for the following scenarios: + 1. [Active Directory-joined VMs](#active-directory-joined-vms) 2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms) 3. [Azure Gallery VMs](#azure-gallery-vms) ## Requirements -- VMs must be running Windows 10 Pro, version 1703 or later. Windows 11 is "later" in this context. -- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined. -- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). - - For more information, see [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). +- VMs must be running a supported version of Windows Pro edition. +- VMs must be joined to Active Directory or Azure Active Directory (Azure AD). +- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). ## Activation ### Scenario 1 -- The VM is running Windows 10, version 1803 or later (ex: Windows 11). +- The VM is running a supported version of Windows. - The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH). - When a user with VDA rights signs in to the VM using their Azure Active Directory credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. + When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure. ### Scenario 2 -- The Hyper-V host and the VM are both running Windows 10, version 1803 or later. +- The Hyper-V host and the VM are both running a supported version of Windows. - [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10/11 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account. + [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure AD account. ### Scenario 3 -- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) partner. +- The hoster isn't an authorized QMTH partner. - In this scenario, the underlying Windows 10/11 Pro license must be activated prior to Subscription Activation of Windows 10/11 Enterprise. Activation is accomplished using a Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems). + In this scenario, the underlying Windows Pro license must be activated prior to using subscription activation Windows Enterprise. Activation is accomplished using a generic volume license key (GVLK) and a volume license KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). For examples of activation issues, see [Troubleshoot the user experience](./deploy-enterprise-licenses.md#troubleshoot-the-user-experience). ## Active Directory-joined VMs 1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image) -2. (Optional) To disable network level authentication, type the following at an elevated command prompt: +2. (Optional) To disable network level authentication, type the following command at an elevated command prompt: - ``` + ```cmd REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` 3. At an elevated command prompt, type **sysdm.cpl** and press ENTER. -4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. -5. Click **Add**, type **Authenticated users**, and then click **OK** three times. -6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again. -7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 20. -8. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -9. Open Windows Configuration Designer and click **Provision desktop services**. -10. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step. -11. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. -12. On the Set up network page, choose **Off**. -13. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. - - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). -14. On the Add applications page, add applications if desired. This step is optional. -15. On the Add certificates page, add certificates if desired. This step is optional. -16. On the Finish page, click **Create**. -17. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image. -18. Type the following at an elevated command prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested: +4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. +5. Select **Add**, type **Authenticated users**, and then select **OK** three times. +6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again. +7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8. + 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). + 1. Open Windows Configuration Designer and select **Provision desktop services**. + 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. - ```cmd - Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" - ``` -19. Right-click the mounted image in file explorer and click **Eject**. -20. See instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image. + > [!NOTE] + > You can use a different project name, but this name is also used with dism.exe in a later step. + + 1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. + 1. On the Set up network page, choose **Off**. + 1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details. + + > [!NOTE] + > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms). + + 1. On the Add applications page, add applications if desired. This step is optional. + 1. On the Add certificates page, add certificates if desired. This step is optional. + 1. On the Finish page, select **Create**. + 1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image. + 1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested: + + ```cmd + Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg" + ``` + + 1. Right-click the mounted image in file explorer and select **Eject**. + +8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image. ## Azure Active Directory-joined VMs ->[!IMPORTANT] ->Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated. +> [!IMPORTANT] +> Azure AD provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Azure AD-joined and deployed won't need to be recreated. -For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: -- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. -- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials. -- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**) -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). +For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions: + +- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**. +- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials. +- When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg** +- When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure). ## Azure Gallery VMs -1. (Optional) To disable network level authentication, type the following at an elevated command prompt: +1. (Optional) To disable network level authentication, type the following command at an elevated command prompt: - ``` + ```cmd REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f ``` -2. At an elevated command prompt, type **sysdm.cpl** and press ENTER. -3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**. -4. Click **Add**, type **Authenticated users**, and then click **OK** three times. +2. At an elevated command prompt, type `sysdm.cpl` and press ENTER. +3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**. +4. Select **Add**, type **Authenticated users**, and then select **OK** three times. 5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd). -6. Open Windows Configuration Designer and click **Provision desktop services**. -7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. - 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name. - 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**. -8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name. +6. Open Windows Configuration Designer and select **Provision desktop services**. +7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8. + 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name. + 2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`. +8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name. 9. On the Set up network page, choose **Off**. -10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. +10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials. 11. On the Add applications page, add applications if desired. This step is optional. 12. On the Add certificates page, add certificates if desired. This step is optional. -13. On the Finish page, click **Create**. -14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system. +13. On the Finish page, select **Create**. +14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system. -- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rdp-settings-for-azure). +> [!NOTE] +> When you try to access the VM using remote desktop, you'll need to [create a custom RDP settings file](#create-custom-rdp-settings-for-azure). ## Create custom RDP settings for Azure -To create custom RDP settings for Azure: - 1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host. -2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it. +2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it. 3. Close the Remote Desktop Connection window and open Notepad. -4. Drag the RDP file into the Notepad window to edit it. +4. Open the RDP file in Notepad to edit it. 5. Enter or replace the line that specifies authentication level with the following two lines of text: ```text enablecredsspsupport:i:0 authentication level:i:2 ``` -6. **enablecredsspsupport** and **authentication level** should each appear only once in the file. -7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. -## Related topics + The values `enablecredsspsupport` and `authentication level` should each appear only once in the file. -[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) -
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) +6. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. + +## Related articles + +[Windows subscription activation](windows-10-subscription-activation.md) + +[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) + +[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 67df3547c9..e59eefbb34 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,8 +1,8 @@ --- -title: Windows 10/11 Subscription Activation +title: Windows subscription activation description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. -ms.custom: seo-marvel-apr2020 -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium author: aczechowski ms.author: aaroncz @@ -12,239 +12,201 @@ ms.collection: - highpri search.appverid: - MET150 -ms.topic: article +ms.topic: conceptual ms.date: 07/12/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- -# Windows 10/11 Subscription Activation +# Windows subscription activation -Applies to: -- Windows 10 -- Windows 11 +The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition. -Windows 10 Pro supports the Subscription Activation feature, enabling users to "step-up" from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they're subscribed to Windows 10/11 Enterprise E3 or E5. +If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). -With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. +The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and then rebooting client devices. -If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). +This article covers the following information: -The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. - -For more information, see the following articles: - -- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise. -- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education. -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [Subscription activation](#subscription-activation-for-enterprise): An introduction to subscription activation for Windows Enterprise. +- [Subscription activation for Education](#subscription-activation-for-education): Information about subscription activation for Windows Education. +- [Inherited activation](#inherited-activation): Allow virtual machines to inherit activation state from their Windows client host. - [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. +- [Requirements](#requirements): Prerequisites to use the Windows subscription activation model. - [Benefits](#benefits): Advantages of subscription-based licensing. - [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows subscription activation for VMs in the cloud. -For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). +For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). -## Subscription Activation for Windows 10/11 Enterprise +## Subscription activation for Enterprise -Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. +Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots. - If you're running Windows 10, version 1703 or later: +- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise. +- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions. -- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. -- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. - -Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). +Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure Active Directory (Azure AD) using [Azure AD Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis). > [!NOTE] -> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11. +> Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11. -## Subscription Activation for Education +## Subscription activation for Education -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. +Subscription activation for Education works the same as the Enterprise edition, but in order to use subscription activation for Education, you must have a device running Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section. -## Inherited Activation +## Inherited activation -Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. +Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses an Azure AD account on a VM. -When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (Azure AD) account on a VM. - -To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. +To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V. ## The evolution of deployment +> [!TIP] > The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus). The following list illustrates how deploying Windows client has evolved with each release: -- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
-- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a "repair upgrade" because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
-- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-- **Windows 10, version 1607** made a large leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
-- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It's no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
-- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. -- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated. +- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise. + +- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade. This process was considered a "repair upgrade", because the OS version was the same before and after. This upgrade was a lot easier than wipe-and-load, but it was still time-consuming. + +- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This process required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade. + +- **Windows 10, version 1607** made a large leap forward. You could just change the product key and the edition instantly changed from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can inject a key using slmgr.vbs, which injects the key into WMI. It became trivial to do this process using a command line. + +- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program. + +- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Azure AD for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Azure AD, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise. + +- **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled. + +- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription. + +- **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices. + + > [!IMPORTANT] + > Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated. ## Requirements -### Windows 10/11 Enterprise requirements +### Windows Enterprise requirements > [!NOTE] -> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. +> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context. -- Azure Active Directory (Azure AD) available for identity management. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. +- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded. +- Azure AD available for identity management. +- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. -For Microsoft customers that don't have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). +For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). -If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) +### Windows Education requirements -#### Multifactor authentication - -An issue has been identified with Hybrid Azure AD-joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device won't successfully upgrade to their Windows Enterprise subscription. - -To resolve this issue: - -If the device is running Windows 10, version 1809 or later: - -- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. - -- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there's a problem. Select the notification and then select **Fix now** to step through the subscription activation process. See the example below: - - 
- - 
- -  - -Organizations that use Azure Active Directory Conditional Access may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy to avoid this issue. - -> [!NOTE] -> The above recommendation also applies to Azure AD joined devices. - -### Windows 10/11 Education requirements - -- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. -- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. +- A supported version of Windows Pro Education installed on the devices to be upgraded. +- A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. +- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription. +- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. > [!IMPORTANT] > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - ## Benefits -With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: +With Windows Enterprise or Education editions, your organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features. + +To compare Windows 10 editions and review pricing, see the following sites: - [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) -- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) +- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) You can benefit by moving to Windows as an online service in the following ways: -- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. +- Licenses for Windows Enterprise and Education are checked based on Azure AD credentials. You have a systematic way to assign licenses to end users and groups in your organization. - User sign-in triggers a silent edition upgrade, with no reboot required. -- Support for mobile worker/BYOD activation; transition away from on-premises KMS and MAK keys. +- Support for mobile worker and "bring your own device" (BYOD) activation. This support transitions away from on-premises KMS and MAK keys. - Compliance support via seat assignment. -- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. +- Licenses can be updated to different users dynamically, which allows you to optimize your licensing investment against changing needs. ## How it works > [!NOTE] -> The following Windows 10 examples and scenarios also apply to Windows 11. +> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions. -The device is Azure Active Directory-joined from **Settings > Accounts > Access work or school**. +The device is Azure AD-joined from **Settings > Accounts > Access work or school**. -The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. +You assign Windows 10 Enterprise to a user: - + -When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. - -Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit doesn't include Long Term Servicing Channel. - -The following figures summarize how the Subscription Activation model works: - -Before Windows 10, version 1903:
- - -After Windows 10, version 1903:
- +When a licensed user signs in to a device that meets requirements using their Azure AD credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires. > [!NOTE] -> -> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019). -> -> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019). +> Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel. + +The following figure summarizes how the subscription activation model works: + + + +> [!NOTE] +> +> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center. +> +> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center. ### Scenarios #### Scenario #1 -You're using Windows 10, version 1803 or above, and purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise). +You're using a supported version of Windows 10. You purchased Windows 10 Enterprise E3 or E5 subscriptions, or you've had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise. -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. +All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition. #### Scenario #2 -Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. +You're using Azure AD-joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Azure AD synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. You then assign that license to all of your Azure AD users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise. -In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it's simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. +#### Earlier versions of Windows -If you're running Windows 7, it can be more work. A wipe-and-load approach works, but it's likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This path is supported, and completes the move in one step. This method also works if you're running Windows 8.1 Pro. +If devices are running Windows 7, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise edition. This path is supported, and completes the move in one step. This method also works for devices with Windows 8.1 Pro. ### Licenses The following policies apply to acquisition and renewal of licenses on devices: -- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user hasn't logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. + +- Devices that have been upgraded will attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license. + +- If a device is disconnected from the internet, until its current subscription expires Windows will revert to Pro or Pro Education. As soon as the device is connected to the internet again, the license will automatically renew. + +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, on the computer to which a user hasn't logged for the longest time, Windows will revert to Pro or Pro Education. + - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. -When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/active-directory-licensing-whatis-azure-portal). +When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal). ### Existing Enterprise deployments -If you're running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +If you're running a supported version of Windows 10 or Windows 11, subscription activation will automatically pull the firmware-embedded Windows activation key and activate the underlying Pro license. The license will then step-up to Enterprise using subscription activation. This behavior automatically migrates your devices from KMS or MAK activated Enterprise to subscription activated Enterprise. -Subscription Activation doesn't remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows. +Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows. > [!CAUTION] -> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). +> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE). -If you're using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. - -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt: - -```console -@echo off -FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO ( -SET "ProductKey=%%A" -goto InstallKey -) - -:InstallKey -IF [%ProductKey%]==[] ( -echo No key present -) ELSE ( -echo Installing %ProductKey% -changepk.exe /ProductKey %ProductKey% -) -``` - -Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead: +If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console: ```powershell $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } } @@ -252,17 +214,17 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( ### Obtaining an Azure AD license -Enterprise Agreement/Software Assurance (EA/SA): +If your organization has an Enterprise Agreement (EA) or Software Assurance (SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea). +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). -- The license administrator can assign seats to Azure AD users with the same process that is used for O365. +- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps. - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. -Microsoft Products & Services Agreements (MPSA): +If your organization has a Microsoft Products & Services Agreement (MPSA): -- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. +- New customers are automatically emailed the details of the service. Take steps to process the instructions. - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. @@ -270,16 +232,18 @@ Microsoft Products & Services Agreements (MPSA): ### Deploying licenses -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). +For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). -## Related articles +## Related sites -[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+Connect domain-joined devices to Azure AD for Windows experiences. For more information, see [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) + +[Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11) + +[Windows for business](https://www.microsoft.com/windows/business) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index ede51bee83..a8ae09138a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,6 +1,6 @@ --- title: Device registration overview -description: This article provides and overview on how to register devices in Autopatch +description: This article provides an overview on how to register devices in Autopatch ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows @@ -44,7 +44,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
- Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
- **AzureADDeviceID**
- **OperatingSystem**
- **DisplayName (Device name)**
- **AccountEnabled**
- **RegistrationDateTime**
- **ApproximateLastSignInDateTime**
- In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
- **If yes**, it means this device is enrolled into Intune.
- **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
- **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
- **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
- **Modern Workplace Devices-Windows Autopatch-First**
- The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Modern Workplace Devices-Windows Autopatch-Fast**
- **Modern Workplace Devices-Windows Autopatch-Broad**
- **Modern Workplace Devices - All**
- This group has all devices managed by Windows Autopatch.
- When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
- This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
- When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
- This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
- When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
- This group has all virtual devices managed by Windows Autopatch.
- Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
- Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
- OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\
*`/Policies/UseCloudTrustForOnPremAuth`** - Data type: **Boolean**
- Value: **True**
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. +- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. ## Where is Windows Hello data stored? + The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. > [!NOTE] >Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. ## Has Microsoft set any device requirements for Windows Hello? + We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. +- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. -- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. +- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. ### Fingerprint sensor requirements -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). + +To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). **Acceptable performance range for small to large size touch sensors** -- False Accept Rate (FAR): <0.001 – 0.002% +- False Accept Rate (FAR): <0.001 – 0.002% -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% **Acceptable performance range for swipe sensors** -- False Accept Rate (FAR): <0.002% +- False Accept Rate (FAR): <0.002% -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% ### Facial recognition sensors + To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). -- False Accept Rate (FAR): <0.001% +- False Accept Rate (FAR): <0.001% -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% > [!NOTE] >Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +### Iris recognition sensor requirements + +To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. ## Related topics + - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) @@ -90,12 +101,3 @@ To allow facial recognition, you must have devices with integrated special infra - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) - - - - - - - - - diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 0f2c45e2f0..00e6171863 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme - Multi-factor Authentication is required during Windows Hello for Business provisioning - Proper name resolution, both internal and external names - Active Directory and an adequate number of domain controllers per site to support authentication -- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments) +- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments) - One or more workstation computers running Windows 10, version 1703 or later If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. @@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. The trust model determines how you want users to authenticate to the on-premises Active Directory: - The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates. -- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it. +- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it. - The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!Note] -> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). Following are the various deployment guides and models included in this topic: -- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md) +- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md) - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index bc542d1967..88115dc1cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -29,9 +29,9 @@ sections: - name: Ignored questions: - - question: What is Windows Hello for Business cloud trust? + - question: What is Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). + Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). - question: What about virtual smart cards? diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 435fe6109b..9b9e87b305 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi |--- |--- |--- | |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| -|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| -|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| +|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 909df0b77b..ffaec80712 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. - [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory) -- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview) +- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust) - [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key) - [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate) -- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview) +- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust) - [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key) - [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate) @@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview) +## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)  @@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c > [!NOTE] > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. -## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview) +## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)  | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. +|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD. |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP. |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 7d93ef16b8..6ebf241107 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -26,7 +26,7 @@ List of provisioning flows: - [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment) - [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment) -- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment) +- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment) - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment) @@ -62,9 +62,9 @@ List of provisioning flows: [Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment +## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment - + [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png) | Phase | Description | @@ -74,7 +74,7 @@ List of provisioning flows: | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. | > [!NOTE] -> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. +> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. [Return to top](#windows-hello-for-business-provisioning) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md similarity index 59% rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 95583c6427..7e64879acd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,6 +1,6 @@ --- -title: Hybrid Cloud Trust Deployment (Windows Hello for Business) -description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business) +description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. ms.prod: m365-security author: paolomatarazzo ms.author: paoloma @@ -11,66 +11,68 @@ ms.topic: article localizationpriority: medium ms.date: 2/15/2022 appliesto: -- ✅ Windows 10 21H2 and later +- ✅ Windows 10, version 21H2 and later - ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Cloud Kerberos trust --- -# Hybrid Cloud Trust Deployment (Preview) +# Hybrid Cloud Kerberos Trust Deployment (Preview) -Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -## Introduction to Cloud Trust +## Introduction to Cloud Kerberos Trust -The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. +The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. -Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: +Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: -- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI. -- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate. -- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup. +- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI +- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate +- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup > [!NOTE] -> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. +> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. -## Azure Active Directory Kerberos and Cloud Trust Authentication +## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication -Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. +Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs. When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. -More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). +More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). -If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. ## Prerequisites | Requirement | Notes | | --- | --- | | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. | -| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | +| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. | | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| -| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | +| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | ### Unsupported Scenarios -The following scenarios aren't supported using Windows Hello for Business cloud trust: +The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust: - On-premises only deployments - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) - Scenarios that require a certificate for authentication -- Using cloud trust for "Run as" -- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +- Using cloud Kerberos trust for "Run as" +- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity > [!NOTE] -> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. > > To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate trust
Mixed managed | Certificate trust
Modern managed | +| Requirement | cloud Kerberos trust
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed | | --- | --- | --- | --- | --- | | **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | | **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | @@ -44,7 +44,7 @@ The table shows the minimum requirements for each deployment. For key trust in a | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required | > [!Important] -> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models. +> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models. > > **Requirements:** > - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 6a355853aa..6efd13da5a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -14,6 +14,7 @@ localizationpriority: medium appliesto: - ✅ Windows 10 - ✅ Windows 11 +- ✅ Windows Holographic for Business --- # Windows Hello for Business Overview @@ -46,6 +47,7 @@ As an administrator in an enterprise or educational organization, you can create - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. - **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards. +- **Iris Recognition**. This type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner. These iris scanners are the same across all HoloLens 2 devices. Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). @@ -94,9 +96,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md). ## Comparing key-based and certificate-based authentication -Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. +Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. -Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). ## Learn more diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c1dc768999..32137c8e75 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index a0fa9d6144..3907b4b422 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -65,8 +65,8 @@ landingContent: url: hello-identity-verification.md - linkListType: how-to-guide links: - - text: Hybrid Cloud Trust Deployment - url: hello-hybrid-cloud-trust.md + - text: Hybrid Cloud Kerberos Trust Deployment + url: hello-hybrid-cloud-kerberos-trust.md - text: Hybrid Azure AD Joined Key Trust Deployment url: hello-hybrid-key-trust.md - text: Hybrid Azure AD Joined Certificate Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 6e71a47657..2c22050ab0 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -35,8 +35,8 @@ href: hello-prepare-people-to-use.md - name: Deployment Guides items: - - name: Hybrid Cloud Trust Deployment - href: hello-hybrid-cloud-trust.md + - name: Hybrid Cloud Kerberos Trust Deployment + href: hello-hybrid-cloud-kerberos-trust.md - name: Hybrid Azure AD Joined Key Trust items: - name: Hybrid Azure AD Joined Key Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md index 8926ad4417..26654a00e4 100644 --- a/windows/security/identity-protection/hello-for-business/webauthn-apis.md +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -9,16 +9,18 @@ ms.reviewer: prsriva ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 08/30/2022 +ms.date: 09/15/2022 appliesto: - ✅ Windows 10 - ✅ Windows 11 --- # WebAuthn APIs for passwordless authentication on Windows - + Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users. -Microsoft has long been a proponent of passwordless authentication, and introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). +Microsoft has long been a proponent of passwordless authentication, and has introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). + +Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms. ## What does this mean? @@ -29,11 +31,11 @@ Users of these apps or sites can use any browser that supports WebAuthn APIs for Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead. > [!NOTE] -> When these APIs are in use, Windows 10 browsers or apps don't have direct access to the FIDO2 transports for FIDO-related messaging. +> When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging. ## The big picture -Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). +The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally. @@ -56,30 +58,30 @@ A combined WebAuthn/CTAP2 dance includes the following cast of characters: - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser. > [!NOTE] - > The preceding diagram doesn't depict single sign-on authentication. Be careful not to confuse FIDO relying parties with federated relying parties. + > The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties. -- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request that the authenticator create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. +- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. -- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions of the preceding diagram may differ. +- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions shown in the preceding diagram may differ. - **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators. - **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols. -Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile app. +Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile application. ## Interoperability -Before there was WebAuthn and CTAP2, there was U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. +Before WebAuthn and CTAP2, there were U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. -FIDO2 authenticators have already implemented and WebAuthn relying parties might require the following optional features: +FIDO2 authenticators have already been implemented and WebAuthn relying parties might require the following optional features: - Keys for multiple accounts (keys can be stored per relying party) - Client PIN - Location (the authenticator returns a location) - [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios) -The following options and might be useful in the future, but haven't been observed in the wild yet: +The following options might be useful in the future, but haven't been observed in the wild yet: - Transactional approval - User verification index (servers can determine whether biometric data that's stored locally has changed over time) @@ -105,18 +107,18 @@ Here's an approximate layout of where the Microsoft bits go: > [!IMPORTANT] > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials. -- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. +- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. > [!NOTE] > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication). - **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs. -- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. That's because there's already a strong ecosystem of products that specialize in strong authentication, and every one of our customers (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. To see the ever-growing list of FIDO2 certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. +- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. ## Developer references The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications: - [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec. -- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. +- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg new file mode 100644 index 0000000000..21a6b4f235 --- /dev/null +++ b/windows/security/images/icons/accessibility.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/group-policy.svg b/windows/security/images/icons/group-policy.svg new file mode 100644 index 0000000000..ace95add6b --- /dev/null +++ b/windows/security/images/icons/group-policy.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/intune.svg b/windows/security/images/icons/intune.svg new file mode 100644 index 0000000000..6e0d938aed --- /dev/null +++ b/windows/security/images/icons/intune.svg @@ -0,0 +1,24 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg new file mode 100644 index 0000000000..ab2d5152ca --- /dev/null +++ b/windows/security/images/icons/powershell.svg @@ -0,0 +1,20 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg new file mode 100644 index 0000000000..dbbad7d780 --- /dev/null +++ b/windows/security/images/icons/provisioning-package.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg new file mode 100644 index 0000000000..06ab4c09d7 --- /dev/null +++ b/windows/security/images/icons/registry.svg @@ -0,0 +1,22 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/windows-os.svg b/windows/security/images/icons/windows-os.svg new file mode 100644 index 0000000000..da64baf975 --- /dev/null +++ b/windows/security/images/icons/windows-os.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 7c87a7eecd..50d55f1b6b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,12 +1,13 @@ --- -title: BitLocker recovery guide (Windows 10) -description: This article for IT professionals describes how to recover BitLocker keys from AD DS. -ms.reviewer: -ms.prod: m365-security +title: BitLocker recovery guide +description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz ms.collection: - M365-security-compliance - highpri @@ -21,11 +22,11 @@ ms.custom: bitlocker - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later -This article for IT professionals describes how to recover BitLocker keys from AD DS. +This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. +Organizations can use BitLocker recovery information saved in AD DS to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. @@ -45,7 +46,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -280,8 +281,16 @@ This error might occur if you updated the firmware. As a best practice, you shou ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. + +The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. + +To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. +To activate the on-screen keyboard, tap on a text input control. + +:::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated."::: ## BitLocker recovery screen diff --git a/windows/security/information-protection/bitlocker/images/bl-narrator.png b/windows/security/information-protection/bitlocker/images/bl-narrator.png new file mode 100644 index 0000000000..223d0bc3b6 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/bl-narrator.png differ diff --git a/windows/security/information-protection/images/pluton/pluton-firmware-load.png b/windows/security/information-protection/images/pluton/pluton-firmware-load.png new file mode 100644 index 0000000000..28dee91260 Binary files /dev/null and b/windows/security/information-protection/images/pluton/pluton-firmware-load.png differ diff --git a/windows/security/information-protection/images/pluton/pluton-security-architecture.png b/windows/security/information-protection/images/pluton/pluton-security-architecture.png new file mode 100644 index 0000000000..adab20b080 Binary files /dev/null and b/windows/security/information-protection/images/pluton/pluton-security-architecture.png differ diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md new file mode 100644 index 0000000000..0151546bcc --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -0,0 +1,124 @@ +--- +title: Configure Personal Data Encryption (PDE) in Intune +description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune + +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 09/22/2022 +--- + + + +# Configure Personal Data Encryption (PDE) policies in Intune + +## Required prerequisites + +### Enable Personal Data Encryption (PDE) + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Templates** +6. Under **Template name**, select **Custom**, and then select **Create** +7. On the ****Basics** tab: + 1. Next to **Name**, enter **Personal Data Encryption** + 2. Next to **Description**, enter a description +8. Select **Next** +9. On the **Configuration settings** tab, select **Add** +10. In the **Add Row** window: + 1. Next to **Name**, enter **Personal Data Encryption** + 2. Next to **Description**, enter a description + 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** + 4. Next to **Data type**, select **Integer** + 5. Next to **Value**, enter in **1** +11. Select **Save**, and then select **Next** +12. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the PDE policy should be deployed to + 3. Select **Select** + 4. Select **Next** +13. On the **Applicability Rules** tab, configure if necessary and then select **Next** +14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +#### Disable Winlogon automatic restart sign-on (ARSO) + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Templates** +6. Under **Template name**, select **Administrative templates**, and then select **Create** +7. On the ****Basics** tab: + 1. Next to **Name**, enter **Disable ARSO** + 2. Next to **Description**, enter a description +8. Select **Next** +9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options** +10. Select **Sign-in and lock last interactive user automatically after a restart** +11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** +12. Select **Next** +13. On the **Scope tags** tab, configure if necessary and then select **Next** +12. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the ARSO policy should be deployed to + 3. Select **Select** + 4. Select **Next** +13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +## Recommended prerequisites + +#### Disable crash dumps + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Settings catalog**, and then select **Create** +6. On the ****Basics** tab: + 1. Next to **Name**, enter **Disable Hibernation** + 2. Next to **Description**, enter a description +7. Select **Next** +8. On the **Configuration settings** tab, select **Add settings** +9. In the **Settings picker** windows, select **Memory Dump** +10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window +11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next** +12. On the **Scope tags** tab, configure if necessary and then select **Next** +13. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the crash dumps policy should be deployed to + 3. Select **Select** + 4. Select **Next** +14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +#### Disable hibernation + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Settings catalog**, and then select **Create** +6. On the ****Basics** tab: + 1. Next to **Name**, enter **Disable Hibernation** + 2. Next to **Description**, enter a description +7. Select **Next** +8. On the **Configuration settings** tab, select **Add settings** +9. In the **Settings picker** windows, select **Power** +10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window +11. Change **Allow Hibernate** to **Block**, and then select **Next** +12. On the **Scope tags** tab, configure if necessary and then select **Next** +13. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the hibernation policy should be deployed to + 3. Select **Select** + 4. Select **Next** +14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +## See also +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) \ No newline at end of file diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml new file mode 100644 index 0000000000..744161659e --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ + +metadata: + title: Frequently asked questions for Personal Data Encryption (PDE) + description: Answers to common questions regarding Personal Data Encryption (PDE). + author: frankroj + ms.author: frankroj + ms.reviewer: rafals + manager: aaroncz + ms.topic: faq + ms.prod: windows-client + ms.technology: itpro-security + ms.localizationpriority: medium + ms.date: 09/22/2022 + +title: Frequently asked questions for Personal Data Encryption (PDE) +summary: | + Here are some answers to common questions regarding Personal Data Encryption (PDE) + +sections: + - name: Single section - ignored + questions: + - question: Can PDE encrypt entire volumes or drives? + answer: | + No. PDE only encrypts specified files. + + - question: Is PDE a replacement for BitLocker? + answer: | + No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security. + + - question: Can an IT admin specify which files should be encrypted? + answer: | + Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + + - question: Do I need to use OneDrive as my backup provider? + answer: | + No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider. + + - question: What is the relation between Windows Hello for Business and PDE? + answer: | + During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files. + + - question: Can a file be encrypted with both PDE and EFS at the same time? + answer: | + No. PDE and EFS are mutually exclusive. + + - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)? + answer: | + No. Accessing PDE encrypted files over RDP isn't currently supported. + + - question: Can PDE encrypted files be access via a network share? + answer: | + No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials. + + - question: How can it be determined if a file is encrypted with PDE? + answer: | + Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file. + + - question: Can users manually encrypt and decrypt files with PDE? + answer: | + Currently users can decrypt files manually but they can't encrypt files manually. + + - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files? + answer: | + No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics. + + - question: What encryption method and strength does PDE use? + answer: | + PDE uses AES-CBC with a 256-bit key to encrypt files + +additionalContent: | + ## See also + - [Personal Data Encryption (PDE)](overview-pde.md) + - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) \ No newline at end of file diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md new file mode 100644 index 0000000000..7ca7334657 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md @@ -0,0 +1,27 @@ +--- +title: Personal Data Encryption (PDE) description +description: Personal Data Encryption (PDE) description include file + +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 09/22/2022 +--- + + + +Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. + +PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. + +PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features. + +Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. + +> [!NOTE] +> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE. diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md new file mode 100644 index 0000000000..fb78dc475b --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -0,0 +1,140 @@ +--- +title: Personal Data Encryption (PDE) +description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot. + +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 09/22/2022 +--- + + + +# Personal Data Encryption (PDE) + +(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*) + +[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)] + +## Prerequisites + +### **Required** + - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) + - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md) + - Windows 11, version 22H2 and later Enterprise and Education editions + +### **Not supported with PDE** + - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md) + - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) + - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)). + - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) + - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) + - Remote Desktop connections + +### **Highly recommended** + - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled + - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it. + - Backup solution such as [OneDrive](/onedrive/onedrive) + - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup. + - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) + - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. + - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) + - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN + - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump) + - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps). + - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) + - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + +## PDE protection levels + +PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + +| Item | Level 1 | Level 2 | +|---|---|---| +| Data is accessible when user is signed in | Yes | Yes | +| Data is accessible when user has locked their device | Yes | No | +| Data is accessible after user signs out | No | No | +| Data is accessible when device is shut down | No | No | +| Decryption keys discarded | After user signs out | After user locks device or signs out | + +## PDE encrypted files accessibility + +When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. + +Scenarios where a user will be denied access to a PDE encrypted file include: + +- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN. +- If specified via level 2 protection, when the device is locked. +- When trying to access files on the device remotely. For example, UNC network paths. +- Remote Desktop sessions. +- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files. + +## How to enable PDE + +To enable PDE on devices, push an MDM policy to the devices with the following parameters: + +- Name: **Personal Data Encryption** +- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** +- Data type: **Integer** +- Value: **1** + +There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it. + +> [!NOTE] +> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled. + +For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde). + +## Differences between PDE and BitLocker + +| Item | PDE | BitLocker | +|--|--|--| +| Release of key | At user sign-in via Windows Hello for Business | At boot | +| Keys discarded | At user sign-out | At reboot | +| Files encrypted | Individual specified files | Entire volume/drive | +| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in | +| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features | + +## Differences between PDE and EFS + +The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files. + +To see if a file is encrypted with PDE or EFS: + +1. Open the properties of the file +2. Under the **General** tab, select **Advanced...** +3. In the **Advanced Attributes** windows, select **Details** + +For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. + +For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. + +Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command. + +## Disable PDE and decrypt files + +Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps: + +1. Open the properties of the file +2. Under the **General** tab, select **Advanced...** +3. Uncheck the option **Encrypt contents to secure data** +4. Select **OK**, and then **OK** again + +> [!Important] +> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again. + +## Windows out of box applications that support PDE + +Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE. + +- Mail + - Supports encrypting both email bodies and attachments + +## See also +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) +- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md new file mode 100644 index 0000000000..b96b652981 --- /dev/null +++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md @@ -0,0 +1,52 @@ +--- +title: Microsoft Pluton security processor +description: Learn more about Microsoft Pluton security processor +ms.reviewer: +ms.prod: m365-security +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz +ms.localizationpriority: medium +ms.collection: + - M365-security-compliance +ms.topic: conceptual +ms.date: 09/15/2022 +appliesto: +- ✅ Windows 11, version 22H2 +--- + +# Microsoft Pluton security processor + +Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. + +Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2. + +## What is Microsoft Pluton? + +Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC. + +Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md). + +Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/). + +## Microsoft Pluton security architecture overview + + + +Pluton Security subsystem consists of the following layers: + +| | Description | +|--|--| +| **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. | +| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) | +| **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. | + +## Firmware load flow + +When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process: + + + +## Related topics + +[Microsoft Pluton as TPM](pluton-as-tpm.md) diff --git a/windows/security/information-protection/pluton/pluton-as-tpm.md b/windows/security/information-protection/pluton/pluton-as-tpm.md new file mode 100644 index 0000000000..121337c071 --- /dev/null +++ b/windows/security/information-protection/pluton/pluton-as-tpm.md @@ -0,0 +1,50 @@ +--- +title: Microsoft Pluton as Trusted Platform Module (TPM 2.0) +description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0) +ms.reviewer: +ms.prod: m365-security +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz +ms.localizationpriority: medium +ms.collection: + - M365-security-compliance +ms.topic: conceptual +ms.date: 09/15/2022 +appliesto: +- ✅ Windows 11, version 22H2 +--- + +# Microsoft Pluton as Trusted Platform Module + +Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard. + +As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material. + +Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates. + +To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features). + +## Microsoft Pluton as a security processor alongside discrete TPM + +Microsoft Pluton can be used as a TPM, or in conjunction with a TPM. Although Pluton builds security directly into the CPU, device manufacturers may choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM. + +Pluton is integrated within the SoC subsystem, and provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. We encourage users owning devices that are Pluton capable, to enable Microsoft Pluton as the default TPM. + +## Enable Microsoft Pluton as TPM + +Devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device. + +UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM. + +> [!WARNING] +> If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive. +> +> Windows Hello must be re-configured after switching the TPM. Setup alternate login methods before changing the TPM configuration to prevent any login issues. + +> [!TIP] +> On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit. + +## Related topics + +[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index d9221e9bca..382528bfa0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -56,15 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index d5400d4de7..d8461e69f2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,18 +1,15 @@
---
-title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
+title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer:
-manager: dansimp
-ms.date: 03/14/2022
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.reviewer: sazankha
+manager: aaroncz
+ms.date: 09/23/2022
ms.custom: asr
-ms.technology: windows-sec
---
# Application Guard testing scenarios
@@ -59,7 +56,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
3. Set up the Network Isolation settings in Group Policy:
- a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
+ a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
@@ -75,7 +72,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
-5. Click **Enabled**, choose Option **1**, and click **OK**.
+5. Select **Enabled**, choose Option **1**, and select **OK**.
@@ -110,15 +107,14 @@ You have the option to change each of these settings to work with your enterpris
**Applies to:**
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
-- Windows 11
+- Windows 10 Enterprise or Pro editions, version 1803 or later
+- Windows 11 Enterprise or Pro editions
#### Copy and paste options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
@@ -138,25 +134,25 @@ You have the option to change each of these settings to work with your enterpris
- Both text and images can be copied between the host PC and the isolated container.
-5. Click **OK**.
+5. Select **OK**.
#### Print options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
-4. Click **OK**.
+4. Select **OK**.
#### Data persistence options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
@@ -166,32 +162,33 @@ You have the option to change each of these settings to work with your enterpris
4. Add the site to your **Favorites** list and then close the isolated session.
-5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+5. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
- > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
+ > Starting with Windows 11, version 22H2, data persistence is disabled by default. If you don't allow or turn off data persistence, restarting a device or signing in and out of the isolated container triggers a recycle event. This action discards all generated data, such as session cookies and Favorites, and removes the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
>
> **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+ >
+ > _Microsoft Edge version 90 or later no longer supports `RESET_PERSISTENCE_LAYER`._
**Applies to:**
-- Windows 10 Enterprise edition, version 1803
-- Windows 10 Professional edition, version 1803
-- Windows 11
+- Windows 10 Enterprise or Pro editions, version 1803
+- Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled by default in Windows 11, version 22H2 and later.
#### Download options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Microsoft Defender Application Guard.
@@ -201,7 +198,7 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and Select **OK**.
@@ -209,21 +206,15 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
-**Applies to:**
-
-- Windows 10 Enterprise edition, version 1809
-- Windows 10 Professional edition, version 1809
-- Windows 11
-
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
@@ -233,11 +224,11 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
-2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
+2. Select **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
## Application Guard Extension for third-party web browsers
@@ -245,9 +236,9 @@ The [Application Guard Extension](md-app-guard-browser-extension.md) available f
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
-1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
+1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
-2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..6fe565bf48
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -0,0 +1,101 @@
+---
+title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+ms.prod: windows-client
+ms.technology: itpro-security
+author: v-mathavale
+ms.author: v-mathavale
+ms.reviewer: paoloma
+manager: aaroncz
+ms.localizationpriority: medium
+ms.date: 06/21/2022
+adobe-target: true
+appliesto:
+- ✅ Windows 11, version 22H2
+---
+
+# Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+
+Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
+
+- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account.
+
+- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
+
+- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+
+## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
+
+- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content.
+
+- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them.
+
+- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
+
+- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled.
+
+## Configure Enhanced Phishing Protection for your organization
+
+Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
+
+#### [✅ **GPO**](#tab/gpo)
+
+Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
+
+|Setting|Description|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
+
+| Setting | OMA-URI | Data type |
+|-------------------------|---------------------------------------------------------------------------|-----------|
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
+| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
+| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+
+---
+
+### Recommended settings for your organization
+
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
+
+#### [✅ **GPO**](#tab/gpo)
+
+|Group Policy setting|Recommendation|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+|MDM setting|Recommendation|
+|---------|---------|
+|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
+|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
+|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
+|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
+---
+
+## Related articles
+
+- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
+- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [Threat protection](../index.md)
+- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index a7d64bd225..dcad6a2586 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -3,313 +3,309 @@
- name: About application control for Windows
href: windows-defender-application-control.md
expanded: true
- items:
+ items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
- items:
- - name: WDAC and AppLocker Feature Availability
- href: feature-availability.md
- - name: Virtualization-based protection of code integrity
- href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - name: WDAC design guide
- href: windows-defender-application-control-design-guide.md
- items:
- - name: Plan for WDAC policy lifecycle management
- href: plan-windows-defender-application-control-management.md
- - name: Design your WDAC policy
- items:
- - name: Understand WDAC policy design decisions
- href: understand-windows-defender-application-control-policy-design-decisions.md
- - name: Understand WDAC policy rules and file rules
- href: select-types-of-rules-to-create.md
- items:
- - name: Allow apps installed by a managed installer
- href: configure-authorized-apps-deployed-with-a-managed-installer.md
- - name: Allow reputable apps with Intelligent Security Graph (ISG)
- href: use-windows-defender-application-control-with-intelligent-security-graph.md
- - name: Allow COM object registration
- href: allow-com-object-registration-in-windows-defender-application-control-policy.md
- - name: Use WDAC with .NET hardening
- href: use-windows-defender-application-control-with-dynamic-code-security.md
- - name: Manage packaged apps with WDAC
- href: manage-packaged-apps-with-windows-defender-application-control.md
- - name: Use WDAC to control specific plug-ins, add-ins, and modules
- href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- - name: Understand WDAC policy settings
- href: understanding-wdac-policy-settings.md
- - name: Use multiple WDAC policies
- href: deploy-multiple-windows-defender-application-control-policies.md
- - name: Create your WDAC policy
- items:
- - name: Example WDAC base policies
- href: example-wdac-base-policies.md
- - name: Policy creation for common WDAC usage scenarios
- href: types-of-devices.md
- items:
- - name: Create a WDAC policy for lightly managed devices
- href: create-wdac-policy-for-lightly-managed-devices.md
- - name: Create a WDAC policy for fully managed devices
- href: create-wdac-policy-for-fully-managed-devices.md
- - name: Create a WDAC policy for fixed-workload devices
- href: create-initial-default-policy.md
- - name: Create a WDAC deny list policy
- href: create-wdac-deny-policy.md
- - name: Microsoft recommended block rules
- href: microsoft-recommended-block-rules.md
- - name: Microsoft recommended driver block rules
- href: microsoft-recommended-driver-block-rules.md
- - name: Use the WDAC Wizard tool
- href: wdac-wizard.md
- items:
- - name: Create a base WDAC policy with the Wizard
- href: wdac-wizard-create-base-policy.md
- - name: Create a supplemental WDAC policy with the Wizard
- href: wdac-wizard-create-supplemental-policy.md
- - name: Editing a WDAC policy with the Wizard
- href: wdac-wizard-editing-policy.md
- - name: Merging multiple WDAC policies with the Wizard
- href: wdac-wizard-merging-policies.md
- - name: WDAC deployment guide
- href: windows-defender-application-control-deployment-guide.md
- items:
- - name: Deploy WDAC policies with MDM
- href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- - name: Deploy WDAC policies with Configuration Manager
- href: deployment/deploy-wdac-policies-with-memcm.md
- - name: Deploy WDAC policies with script
- href: deployment/deploy-wdac-policies-with-script.md
- - name: Deploy WDAC policies with group policy
- href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- - name: Audit WDAC policies
- href: audit-windows-defender-application-control-policies.md
- - name: Merge WDAC policies
- href: merge-windows-defender-application-control-policies.md
- - name: Enforce WDAC policies
- href: enforce-windows-defender-application-control-policies.md
- - name: Use code signing to simplify application control for classic Windows applications
- href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
- items:
- - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
- href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- - name: "Optional: Create a code signing cert for WDAC"
- href: create-code-signing-cert-for-windows-defender-application-control.md
- - name: Deploy catalog files to support WDAC
- href: deploy-catalog-files-to-support-windows-defender-application-control.md
- - name: Use signed policies to protect Windows Defender Application Control against tampering
- href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- - name: Disable WDAC policies
- href: disable-windows-defender-application-control-policies.md
- - name: LOB Win32 Apps on S Mode
- href: LOB-win32-apps-on-s.md
- - name: WDAC operational guide
- href: windows-defender-application-control-operational-guide.md
- items:
- - name: Understanding Application Control event tags
- href: event-tag-explanations.md
- - name: Understanding Application Control event IDs
- href: event-id-explanations.md
- - name: Query WDAC events with Advanced hunting
- href: querying-application-control-events-centrally-using-advanced-hunting.md
- - name: Known Issues
- href: operations/known-issues.md
- - name: Managed installer and ISG technical reference and troubleshooting guide
- href: configure-wdac-managed-installer.md
- - name: WDAC AppId Tagging guide
- href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ - name: WDAC and AppLocker Feature Availability
+ href: feature-availability.md
+ - name: Virtualization-based protection of code integrity
+ href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+- name: WDAC design guide
+ href: windows-defender-application-control-design-guide.md
+ items:
+ - name: Plan for WDAC policy lifecycle management
+ href: plan-windows-defender-application-control-management.md
+ - name: Design your WDAC policy
items:
- - name: Creating AppId Tagging Policies
- href: AppIdTagging/design-create-appid-tagging-policies.md
- - name: Deploying AppId Tagging Policies
- href: AppIdTagging/deploy-appid-tagging-policies.md
- - name: Testing and Debugging AppId Tagging Policies
- href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- - name: AppLocker
- href: applocker\applocker-overview.md
- items:
- - name: Administer AppLocker
- href: applocker\administer-applocker.md
- items:
- - name: Maintain AppLocker policies
- href: applocker\maintain-applocker-policies.md
- - name: Edit an AppLocker policy
- href: applocker\edit-an-applocker-policy.md
- - name: Test and update an AppLocker policy
- href: applocker\test-and-update-an-applocker-policy.md
- - name: Deploy AppLocker policies by using the enforce rules setting
- href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- - name: Use the AppLocker Windows PowerShell cmdlets
- href: applocker\use-the-applocker-windows-powershell-cmdlets.md
- - name: Use AppLocker and Software Restriction Policies in the same domain
- href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
- - name: Optimize AppLocker performance
- href: applocker\optimize-applocker-performance.md
- - name: Monitor app usage with AppLocker
- href: applocker\monitor-application-usage-with-applocker.md
- - name: Manage packaged apps with AppLocker
- href: applocker\manage-packaged-apps-with-applocker.md
- - name: Working with AppLocker rules
- href: applocker\working-with-applocker-rules.md
- items:
- - name: Create a rule that uses a file hash condition
- href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
- - name: Create a rule that uses a path condition
- href: applocker\create-a-rule-that-uses-a-path-condition.md
- - name: Create a rule that uses a publisher condition
- href: applocker\create-a-rule-that-uses-a-publisher-condition.md
- - name: Create AppLocker default rules
- href: applocker\create-applocker-default-rules.md
- - name: Add exceptions for an AppLocker rule
- href: applocker\configure-exceptions-for-an-applocker-rule.md
- - name: Create a rule for packaged apps
- href: applocker\create-a-rule-for-packaged-apps.md
- - name: Delete an AppLocker rule
- href: applocker\delete-an-applocker-rule.md
- - name: Edit AppLocker rules
- href: applocker\edit-applocker-rules.md
- - name: Enable the DLL rule collection
- href: applocker\enable-the-dll-rule-collection.md
- - name: Enforce AppLocker rules
- href: applocker\enforce-applocker-rules.md
- - name: Run the Automatically Generate Rules wizard
- href: applocker\run-the-automatically-generate-rules-wizard.md
- - name: Working with AppLocker policies
- href: applocker\working-with-applocker-policies.md
- items:
- - name: Configure the Application Identity service
- href: applocker\configure-the-application-identity-service.md
- - name: Configure an AppLocker policy for audit only
- href: applocker\configure-an-applocker-policy-for-audit-only.md
- - name: Configure an AppLocker policy for enforce rules
- href: applocker\configure-an-applocker-policy-for-enforce-rules.md
- - name: Display a custom URL message when users try to run a blocked app
- href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- - name: Export an AppLocker policy from a GPO
- href: applocker\export-an-applocker-policy-from-a-gpo.md
- - name: Export an AppLocker policy to an XML file
- href: applocker\export-an-applocker-policy-to-an-xml-file.md
- - name: Import an AppLocker policy from another computer
- href: applocker\import-an-applocker-policy-from-another-computer.md
- - name: Import an AppLocker policy into a GPO
- href: applocker\import-an-applocker-policy-into-a-gpo.md
- - name: Add rules for packaged apps to existing AppLocker rule-set
- href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- - name: Merge AppLocker policies by using Set-ApplockerPolicy
- href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
- - name: Merge AppLocker policies manually
- href: applocker\merge-applocker-policies-manually.md
- - name: Refresh an AppLocker policy
- href: applocker\refresh-an-applocker-policy.md
- - name: Test an AppLocker policy by using Test-AppLockerPolicy
- href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
- - name: AppLocker design guide
- href: applocker\applocker-policies-design-guide.md
- items:
- - name: Understand AppLocker policy design decisions
- href: applocker\understand-applocker-policy-design-decisions.md
- - name: Determine your application control objectives
- href: applocker\determine-your-application-control-objectives.md
- - name: Create a list of apps deployed to each business group
- href: applocker\create-list-of-applications-deployed-to-each-business-group.md
- items:
- - name: Document your app list
- href: applocker\document-your-application-list.md
- - name: Select the types of rules to create
- href: applocker\select-types-of-rules-to-create.md
- items:
- - name: Document your AppLocker rules
- href: applocker\document-your-applocker-rules.md
- - name: Determine the Group Policy structure and rule enforcement
- href: applocker\determine-group-policy-structure-and-rule-enforcement.md
- items:
- - name: Understand AppLocker enforcement settings
- href: applocker\understand-applocker-enforcement-settings.md
- - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
- href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- - name: Document the Group Policy structure and AppLocker rule enforcement
- href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
- - name: Plan for AppLocker policy management
- href: applocker\plan-for-applocker-policy-management.md
- - name: AppLocker deployment guide
- href: applocker\applocker-policies-deployment-guide.md
- items:
- - name: Understand the AppLocker policy deployment process
- href: applocker\understand-the-applocker-policy-deployment-process.md
- - name: Requirements for Deploying AppLocker Policies
- href: applocker\requirements-for-deploying-applocker-policies.md
- - name: Use Software Restriction Policies and AppLocker policies
- href: applocker\using-software-restriction-policies-and-applocker-policies.md
- - name: Create Your AppLocker policies
- href: applocker\create-your-applocker-policies.md
- items:
- - name: Create Your AppLocker rules
- href: applocker\create-your-applocker-rules.md
- - name: Deploy the AppLocker policy into production
- href: applocker\deploy-the-applocker-policy-into-production.md
- items:
- - name: Use a reference device to create and maintain AppLocker policies
- href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
- items:
- - name: Determine which apps are digitally signed on a reference device
- href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- - name: Configure the AppLocker reference device
- href: applocker\configure-the-appLocker-reference-device.md
- - name: AppLocker technical reference
- href: applocker\applocker-technical-reference.md
- items:
- - name: What Is AppLocker?
- href: applocker\what-is-applocker.md
- - name: Requirements to use AppLocker
- href: applocker\requirements-to-use-applocker.md
- - name: AppLocker policy use scenarios
- href: applocker\applocker-policy-use-scenarios.md
- - name: How AppLocker works
- href: applocker\how-applocker-works-techref.md
- items:
- - name: Understanding AppLocker rule behavior
- href: applocker\understanding-applocker-rule-behavior.md
- - name: Understanding AppLocker rule exceptions
- href: applocker\understanding-applocker-rule-exceptions.md
- - name: Understanding AppLocker rule collections
- href: applocker\understanding-applocker-rule-collections.md
- - name: Understanding AppLocker allow and deny actions on rules
- href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- - name: Understanding AppLocker rule condition types
- href: applocker\understanding-applocker-rule-condition-types.md
- items:
- - name: Understanding the publisher rule condition in AppLocker
- href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
- - name: Understanding the path rule condition in AppLocker
- href: applocker\understanding-the-path-rule-condition-in-applocker.md
- - name: Understanding the file hash rule condition in AppLocker
- href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
- - name: Understanding AppLocker default rules
- href: applocker\understanding-applocker-default-rules.md
- items:
- - name: Executable rules in AppLocker
- href: applocker\executable-rules-in-applocker.md
- - name: Windows Installer rules in AppLocker
- href: applocker\windows-installer-rules-in-applocker.md
- - name: Script rules in AppLocker
- href: applocker\script-rules-in-applocker.md
- - name: DLL rules in AppLocker
- href: applocker\dll-rules-in-applocker.md
- - name: Packaged apps and packaged app installer rules in AppLocker
- href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- - name: AppLocker architecture and components
- href: applocker\applocker-architecture-and-components.md
- - name: AppLocker processes and interactions
- href: applocker\applocker-processes-and-interactions.md
- - name: AppLocker functions
- href: applocker\applocker-functions.md
- - name: Security considerations for AppLocker
- href: applocker\security-considerations-for-applocker.md
- - name: Tools to Use with AppLocker
- href: applocker\tools-to-use-with-applocker.md
- items:
- - name: Using Event Viewer with AppLocker
- href: applocker\using-event-viewer-with-applocker.md
- - name: AppLocker Settings
- href: applocker\applocker-settings.md
-- name: Windows security
- href: /windows/security/
-
+ - name: Understand WDAC policy design decisions
+ href: understand-windows-defender-application-control-policy-design-decisions.md
+ - name: Understand WDAC policy rules and file rules
+ href: select-types-of-rules-to-create.md
+ items:
+ - name: Allow apps installed by a managed installer
+ href: configure-authorized-apps-deployed-with-a-managed-installer.md
+ - name: Allow reputable apps with Intelligent Security Graph (ISG)
+ href: use-windows-defender-application-control-with-intelligent-security-graph.md
+ - name: Allow COM object registration
+ href: allow-com-object-registration-in-windows-defender-application-control-policy.md
+ - name: Use WDAC with .NET hardening
+ href: use-windows-defender-application-control-with-dynamic-code-security.md
+ - name: Manage packaged apps with WDAC
+ href: manage-packaged-apps-with-windows-defender-application-control.md
+ - name: Use WDAC to control specific plug-ins, add-ins, and modules
+ href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ - name: Understand WDAC policy settings
+ href: understanding-wdac-policy-settings.md
+ - name: Use multiple WDAC policies
+ href: deploy-multiple-windows-defender-application-control-policies.md
+ - name: Create your WDAC policy
+ items:
+ - name: Example WDAC base policies
+ href: example-wdac-base-policies.md
+ - name: Policy creation for common WDAC usage scenarios
+ href: types-of-devices.md
+ items:
+ - name: Create a WDAC policy for lightly managed devices
+ href: create-wdac-policy-for-lightly-managed-devices.md
+ - name: Create a WDAC policy for fully managed devices
+ href: create-wdac-policy-for-fully-managed-devices.md
+ - name: Create a WDAC policy for fixed-workload devices
+ href: create-initial-default-policy.md
+ - name: Create a WDAC deny list policy
+ href: create-wdac-deny-policy.md
+ - name: Microsoft recommended block rules
+ href: microsoft-recommended-block-rules.md
+ - name: Microsoft recommended driver block rules
+ href: microsoft-recommended-driver-block-rules.md
+ - name: Use the WDAC Wizard tool
+ href: wdac-wizard.md
+ items:
+ - name: Create a base WDAC policy with the Wizard
+ href: wdac-wizard-create-base-policy.md
+ - name: Create a supplemental WDAC policy with the Wizard
+ href: wdac-wizard-create-supplemental-policy.md
+ - name: Editing a WDAC policy with the Wizard
+ href: wdac-wizard-editing-policy.md
+ - name: Merging multiple WDAC policies with the Wizard
+ href: wdac-wizard-merging-policies.md
+- name: WDAC deployment guide
+ href: windows-defender-application-control-deployment-guide.md
+ items:
+ - name: Deploy WDAC policies with MDM
+ href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
+ - name: Deploy WDAC policies with Configuration Manager
+ href: deployment/deploy-wdac-policies-with-memcm.md
+ - name: Deploy WDAC policies with script
+ href: deployment/deploy-wdac-policies-with-script.md
+ - name: Deploy WDAC policies with group policy
+ href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
+ - name: Audit WDAC policies
+ href: audit-windows-defender-application-control-policies.md
+ - name: Merge WDAC policies
+ href: merge-windows-defender-application-control-policies.md
+ - name: Enforce WDAC policies
+ href: enforce-windows-defender-application-control-policies.md
+ - name: Use code signing to simplify application control for classic Windows applications
+ href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+ items:
+ - name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
+ href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
+ - name: "Optional: Create a code signing cert for WDAC"
+ href: create-code-signing-cert-for-windows-defender-application-control.md
+ - name: Deploy catalog files to support WDAC
+ href: deploy-catalog-files-to-support-windows-defender-application-control.md
+ - name: Use signed policies to protect Windows Defender Application Control against tampering
+ href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+ - name: Disable WDAC policies
+ href: disable-windows-defender-application-control-policies.md
+ - name: LOB Win32 Apps on S Mode
+ href: LOB-win32-apps-on-s.md
+- name: WDAC operational guide
+ href: windows-defender-application-control-operational-guide.md
+ items:
+ - name: Understanding Application Control event tags
+ href: event-tag-explanations.md
+ - name: Understanding Application Control event IDs
+ href: event-id-explanations.md
+ - name: Query WDAC events with Advanced hunting
+ href: querying-application-control-events-centrally-using-advanced-hunting.md
+ - name: Known Issues
+ href: operations/known-issues.md
+ - name: Managed installer and ISG technical reference and troubleshooting guide
+ href: configure-wdac-managed-installer.md
+- name: WDAC AppId Tagging guide
+ href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+ items:
+ - name: Creating AppId Tagging Policies
+ href: AppIdTagging/design-create-appid-tagging-policies.md
+ - name: Deploying AppId Tagging Policies
+ href: AppIdTagging/deploy-appid-tagging-policies.md
+ - name: Testing and Debugging AppId Tagging Policies
+ href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+- name: AppLocker
+ href: applocker\applocker-overview.md
+ items:
+ - name: Administer AppLocker
+ href: applocker\administer-applocker.md
+ items:
+ - name: Maintain AppLocker policies
+ href: applocker\maintain-applocker-policies.md
+ - name: Edit an AppLocker policy
+ href: applocker\edit-an-applocker-policy.md
+ - name: Test and update an AppLocker policy
+ href: applocker\test-and-update-an-applocker-policy.md
+ - name: Deploy AppLocker policies by using the enforce rules setting
+ href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
+ - name: Use the AppLocker Windows PowerShell cmdlets
+ href: applocker\use-the-applocker-windows-powershell-cmdlets.md
+ - name: Use AppLocker and Software Restriction Policies in the same domain
+ href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
+ - name: Optimize AppLocker performance
+ href: applocker\optimize-applocker-performance.md
+ - name: Monitor app usage with AppLocker
+ href: applocker\monitor-application-usage-with-applocker.md
+ - name: Manage packaged apps with AppLocker
+ href: applocker\manage-packaged-apps-with-applocker.md
+ - name: Working with AppLocker rules
+ href: applocker\working-with-applocker-rules.md
+ items:
+ - name: Create a rule that uses a file hash condition
+ href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
+ - name: Create a rule that uses a path condition
+ href: applocker\create-a-rule-that-uses-a-path-condition.md
+ - name: Create a rule that uses a publisher condition
+ href: applocker\create-a-rule-that-uses-a-publisher-condition.md
+ - name: Create AppLocker default rules
+ href: applocker\create-applocker-default-rules.md
+ - name: Add exceptions for an AppLocker rule
+ href: applocker\configure-exceptions-for-an-applocker-rule.md
+ - name: Create a rule for packaged apps
+ href: applocker\create-a-rule-for-packaged-apps.md
+ - name: Delete an AppLocker rule
+ href: applocker\delete-an-applocker-rule.md
+ - name: Edit AppLocker rules
+ href: applocker\edit-applocker-rules.md
+ - name: Enable the DLL rule collection
+ href: applocker\enable-the-dll-rule-collection.md
+ - name: Enforce AppLocker rules
+ href: applocker\enforce-applocker-rules.md
+ - name: Run the Automatically Generate Rules wizard
+ href: applocker\run-the-automatically-generate-rules-wizard.md
+ - name: Working with AppLocker policies
+ href: applocker\working-with-applocker-policies.md
+ items:
+ - name: Configure the Application Identity service
+ href: applocker\configure-the-application-identity-service.md
+ - name: Configure an AppLocker policy for audit only
+ href: applocker\configure-an-applocker-policy-for-audit-only.md
+ - name: Configure an AppLocker policy for enforce rules
+ href: applocker\configure-an-applocker-policy-for-enforce-rules.md
+ - name: Display a custom URL message when users try to run a blocked app
+ href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
+ - name: Export an AppLocker policy from a GPO
+ href: applocker\export-an-applocker-policy-from-a-gpo.md
+ - name: Export an AppLocker policy to an XML file
+ href: applocker\export-an-applocker-policy-to-an-xml-file.md
+ - name: Import an AppLocker policy from another computer
+ href: applocker\import-an-applocker-policy-from-another-computer.md
+ - name: Import an AppLocker policy into a GPO
+ href: applocker\import-an-applocker-policy-into-a-gpo.md
+ - name: Add rules for packaged apps to existing AppLocker rule-set
+ href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
+ - name: Merge AppLocker policies by using Set-ApplockerPolicy
+ href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
+ - name: Merge AppLocker policies manually
+ href: applocker\merge-applocker-policies-manually.md
+ - name: Refresh an AppLocker policy
+ href: applocker\refresh-an-applocker-policy.md
+ - name: Test an AppLocker policy by using Test-AppLockerPolicy
+ href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
+ - name: AppLocker design guide
+ href: applocker\applocker-policies-design-guide.md
+ items:
+ - name: Understand AppLocker policy design decisions
+ href: applocker\understand-applocker-policy-design-decisions.md
+ - name: Determine your application control objectives
+ href: applocker\determine-your-application-control-objectives.md
+ - name: Create a list of apps deployed to each business group
+ href: applocker\create-list-of-applications-deployed-to-each-business-group.md
+ items:
+ - name: Document your app list
+ href: applocker\document-your-application-list.md
+ - name: Select the types of rules to create
+ href: applocker\select-types-of-rules-to-create.md
+ items:
+ - name: Document your AppLocker rules
+ href: applocker\document-your-applocker-rules.md
+ - name: Determine the Group Policy structure and rule enforcement
+ href: applocker\determine-group-policy-structure-and-rule-enforcement.md
+ items:
+ - name: Understand AppLocker enforcement settings
+ href: applocker\understand-applocker-enforcement-settings.md
+ - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
+ href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+ - name: Document the Group Policy structure and AppLocker rule enforcement
+ href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
+ - name: Plan for AppLocker policy management
+ href: applocker\plan-for-applocker-policy-management.md
+ - name: AppLocker deployment guide
+ href: applocker\applocker-policies-deployment-guide.md
+ items:
+ - name: Understand the AppLocker policy deployment process
+ href: applocker\understand-the-applocker-policy-deployment-process.md
+ - name: Requirements for Deploying AppLocker Policies
+ href: applocker\requirements-for-deploying-applocker-policies.md
+ - name: Use Software Restriction Policies and AppLocker policies
+ href: applocker\using-software-restriction-policies-and-applocker-policies.md
+ - name: Create Your AppLocker policies
+ href: applocker\create-your-applocker-policies.md
+ items:
+ - name: Create Your AppLocker rules
+ href: applocker\create-your-applocker-rules.md
+ - name: Deploy the AppLocker policy into production
+ href: applocker\deploy-the-applocker-policy-into-production.md
+ items:
+ - name: Use a reference device to create and maintain AppLocker policies
+ href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
+ items:
+ - name: Determine which apps are digitally signed on a reference device
+ href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
+ - name: Configure the AppLocker reference device
+ href: applocker\configure-the-appLocker-reference-device.md
+ - name: AppLocker technical reference
+ href: applocker\applocker-technical-reference.md
+ items:
+ - name: What Is AppLocker?
+ href: applocker\what-is-applocker.md
+ - name: Requirements to use AppLocker
+ href: applocker\requirements-to-use-applocker.md
+ - name: AppLocker policy use scenarios
+ href: applocker\applocker-policy-use-scenarios.md
+ - name: How AppLocker works
+ href: applocker\how-applocker-works-techref.md
+ items:
+ - name: Understanding AppLocker rule behavior
+ href: applocker\understanding-applocker-rule-behavior.md
+ - name: Understanding AppLocker rule exceptions
+ href: applocker\understanding-applocker-rule-exceptions.md
+ - name: Understanding AppLocker rule collections
+ href: applocker\understanding-applocker-rule-collections.md
+ - name: Understanding AppLocker allow and deny actions on rules
+ href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
+ - name: Understanding AppLocker rule condition types
+ href: applocker\understanding-applocker-rule-condition-types.md
+ items:
+ - name: Understanding the publisher rule condition in AppLocker
+ href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
+ - name: Understanding the path rule condition in AppLocker
+ href: applocker\understanding-the-path-rule-condition-in-applocker.md
+ - name: Understanding the file hash rule condition in AppLocker
+ href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
+ - name: Understanding AppLocker default rules
+ href: applocker\understanding-applocker-default-rules.md
+ items:
+ - name: Executable rules in AppLocker
+ href: applocker\executable-rules-in-applocker.md
+ - name: Windows Installer rules in AppLocker
+ href: applocker\windows-installer-rules-in-applocker.md
+ - name: Script rules in AppLocker
+ href: applocker\script-rules-in-applocker.md
+ - name: DLL rules in AppLocker
+ href: applocker\dll-rules-in-applocker.md
+ - name: Packaged apps and packaged app installer rules in AppLocker
+ href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
+ - name: AppLocker architecture and components
+ href: applocker\applocker-architecture-and-components.md
+ - name: AppLocker processes and interactions
+ href: applocker\applocker-processes-and-interactions.md
+ - name: AppLocker functions
+ href: applocker\applocker-functions.md
+ - name: Security considerations for AppLocker
+ href: applocker\security-considerations-for-applocker.md
+ - name: Tools to Use with AppLocker
+ href: applocker\tools-to-use-with-applocker.md
+ items:
+ - name: Using Event Viewer with AppLocker
+ href: applocker\using-event-viewer-with-applocker.md
+ - name: AppLocker Settings
+ href: applocker\applocker-settings.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 2d13639669..baee8a7e94 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -118,9 +118,6 @@ Alice follows these steps to complete this task:
7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
- > [!NOTE]
- > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
-
```powershell
[xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
$PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index 2ef75b15be..e0d19fe8da 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -13,9 +13,9 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.author: dansimp
-manager: dansimp
-ms.date: 11/15/2019
+ms.author: vinpa
+manager: aaroncz
+ms.date: 08/10/2022
ms.technology: windows-sec
---
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -58,82 +58,103 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (third-party kernel drivers)
- Windows Store signed apps
-2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
-3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
-4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
-5. **Admin-only path rules** for the following locations:
+1. **"MEMCM works”** rules that include:
+ - Signer and hash rules for Configuration Manager components to properly function.
+ - **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
+
+1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
+
+1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority
+
+1. **Admin-only path rules** for the following locations:
- C:\Program Files\*
- C:\Program Files (x86)\*
- %windir%\*
## Create a custom base policy using an example WDAC base policy
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
Alice follows these steps to complete this task:
-> [!NOTE]
-> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
-
-1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
-
-2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
-
- ```powershell
- $PolicyName= "Lamna_LightlyManagedClients_Audit"
- $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
- $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
- ```
-
-3. Copy the policy created by Configuration Manager to the desktop:
-
- ```powershell
- cp $MEMCMPolicy $LamnaPolicy
- ```
-
-4. Give the new policy a unique ID, descriptive name, and initial version number:
-
- ```powershell
- Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
- Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
- ```
-
-5. Modify the copied policy to set policy rules:
-
- ```powershell
- Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
- Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
- Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
- Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
- Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
- Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
- Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
- Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
- Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
- ```
-
-6. Add rules to allow the Windows and Program Files directories:
-
- ```powershell
- $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
- $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
- $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
- Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
- ```
-
-7. If appropriate, add more signer or file rules to further customize the policy for your organization.
-
-8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
> [!NOTE]
- > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
+ > If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in this step.
- ```powershell
- $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
- ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
- ```
+ ```powershell
+ $PolicyPath = $env:userprofile+"\Desktop\"
+ $PolicyName= "Lamna_LightlyManagedClients_Audit"
+ $LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
+ $ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
+ ```
-9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/), or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+1. Copy the example policy to the desktop:
+
+ ```powershell
+ Copy-Item $ExamplePolicy $LamnaPolicy
+ ```
+
+1. Modify the policy to remove unsupported rule:
+
+ > [!NOTE]
+ > `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
+
+ ```powershell
+ [xml]$xml = Get-Content $LamnaPolicy
+ $ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
+ $ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
+ $node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns)
+ $node.ParentNode.RemoveChild($node)
+ $xml.Save($LamnaPolicy)
+ ```
+
+1. Give the new policy a unique ID, descriptive name, and initial version number:
+
+ ```powershell
+ Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
+ Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
+ ```
+
+1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
+
+ > [!NOTE]
+ > If you do not use Configuration Manager, skip this step.
+
+ ```powershell
+ $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
+ Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
+ ```
+
+1. Modify the policy to set additional policy rules:
+
+ ```powershell
+ Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
+ Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
+ Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
+ ```
+
+1. Add rules to allow the Windows and Program Files directories:
+
+ ```powershell
+ $PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
+ $PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
+ Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
+ ```
+
+1. If appropriate, add more signer or file rules to further customize the policy for your organization.
+
+1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
+
+ ```powershell
+ [xml]$policyXML = Get-Content $LamnaPolicy
+ $WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
+ ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
+ ```
+
+1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
@@ -141,44 +162,69 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
-- **Users with administrative access**
- This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+- **Users with administrative access**
+
+ This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+ Possible mitigations:
- Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
-- **Unsigned policies**
- Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
- Possible mitigations:
+- **Unsigned policies**
+
+ Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+ Possible mitigations:
+
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
-- **Managed installer**
- See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
- Possible mitigations:
+- **Managed installer**
+
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
+
+ Possible mitigations:
+
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Limit who can elevate to administrator on the device.
-- **Intelligent Security Graph (ISG)**
- See [security considerations with the Intelligent Security Graph](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#security-considerations-with-the-isg-option)
- Possible mitigations:
+- **Intelligent Security Graph (ISG)**
+
+ See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
+
+ Possible mitigations:
+
- Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **Supplemental policies**
- Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
- Possible mitigations:
+- **Supplemental policies**
+
+ Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+ Possible mitigations:
+
- Use signed WDAC policies that allow authorized signed supplemental policies only.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **FilePath rules**
- See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
- Possible mitigations:
+- **FilePath rules**
+
+ See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+ Possible mitigations:
+
- Limit who can elevate to administrator on the device.
- Migrate from filepath rules to managed installer or signature-based rules.
+- **Signed files**
+
+ Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
+
+ Possible mitigations:
+
+ - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
+
## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 601db3b421..cd504ed4ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
-ms.date: 11/15/2019
+ms.date: 08/05/2022
ms.technology: windows-sec
---
@@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -39,7 +39,8 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
-| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
+| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
+| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml
index b39d1f45b2..5dd1e3fd49 100644
--- a/windows/security/threat-protection/windows-defender-application-control/index.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/index.yml
@@ -9,7 +9,7 @@ metadata:
# ms.subservice: Application-Control
# ms.topic: landing-page
# author: Kim Klein
-# ms.author: Jordan Geurten
+# ms.author: Jordan Geurten
# manager: Jeffrey Sutherland
# ms.update: 04/30/2021
# linkListType: overview | how-to-guide | tutorial | video
@@ -21,13 +21,15 @@ landingContent:
linkLists:
- linkListType: overview
links:
+ - text: What is Application Control?
+ url: windows-defender-application-control.md
- text: What is Windows Defender Application Control (WDAC)?
url: wdac-and-applocker-overview.md
- text: What is AppLocker?
url: applocker\applocker-overview.md
- text: WDAC and AppLocker feature availability
- url: feature-availability.md
- # Card
+ url: feature-availability.md
+ # Card
- title: Learn about Policy Design
linkLists:
- linkListType: overview
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 0a280940df..80be7ef669 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -6,7 +6,7 @@ ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
ms.author: vinpa
manager: aaroncz
ms.date: 09/29/2021
@@ -17,14 +17,14 @@ ms.topic: reference
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
+Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
@@ -62,6 +62,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
+- webclnt.dll/davsvc.dll
- wfc.exe
- windbg.exe
- wmic.exe
@@ -82,23 +83,21 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|---|---|
| `Alex Ionescu` | `@aionescu`|
| `Brock Mammen`| |
-| `Casey Smith` | `@subTee` |
+| `Casey Smith` | `@subTee` |
| `James Forshaw` | `@tiraniddo` |
| `Jimmy Bayne` | `@bohops` |
| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
| `Lee Christensen` | `@tifkin_` |
-| `Matt Graeber` | `@mattifestation` |
-| `Matt Nelson` | `@enigma0x3` |
+| `Matt Graeber` | `@mattifestation` |
+| `Matt Nelson` | `@enigma0x3` |
| `Oddvar Moe` | `@Oddvarmoe` |
| `Philip Tsukerman` | `@PhilipTsukerman` |
| `Vladas Bulavas` | `Kaspersky Lab` |
| `William Easton` | `@Strawgate` |
-
-
-> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+> [!NOTE]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
@@ -114,10 +113,14 @@ Microsoft recommends that you block the following Microsoft-signed applications
Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
+
+Expand this section to see the WDAC policy XML
+
```xml
-> [!Note]
+
+Expand this section to see the blocklist WDAC policy XML
+
```xml
+
NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
-| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
@@ -88,12 +88,12 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
-| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
@@ -105,9 +105,17 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
+>
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
+> [!NOTE]
+> When applicable, minimum and maximum version numbers in a file rule are referenced as MinimumFileVersion and MaximumFileVersion respectively in the policy XML.
+>
+> - Both MinimumFileVersion and MaximumFileVersion specified: For Allow rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are allowed. For Deny rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are denied.
+> - MinimumFileVersion specified without MaximumFileVersion: For Allow rules, file with version **greater than or equal** to the specified version are allowed to run. For Deny rules, file with version **less than or equal** to the specified version are blocked.
+> - MaximumFileVersion specified without MinimumFileVersion: For Allow rules, file with version **less than or equal** to the specified version are allowed to run. For Deny rules, file with version **greater than or equal** to the specified version are blocked.
+
## Example of file rule levels in use
For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
@@ -149,20 +157,20 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
-The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
+The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
-In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn't result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
-Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can’t always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can't always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index a552764722..012e954059 100644
--- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -46,15 +46,33 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
- **Windows Defender Application Control (WDAC)**; and
- **AppLocker**
-## In this section
+## WDAC and Smart App Control
-| Article | Description |
-| --- | --- |
-| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
-| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
+
+Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
+
+| Value | Description |
+|-------|-------------|
+| 0 | Off |
+| 1 | Enforce |
+| 2 | Evaluation |
+
+> [!IMPORTANT]
+> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
+
+### Smart App Control Enforced Blocks
+
+Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
+
+- Infdefaultinstall.exe
+- Microsoft.Build.dll
+- Microsoft.Build.Framework.dll
+- Wslhost.dll
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
-- [AppLocker overview](applocker/applocker-overview.md)
\ No newline at end of file
+- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
+- [AppLocker overview](applocker/applocker-overview.md)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 5e0c376121..8963229d82 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
-| Windows 11 | [Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772)
| October 2021
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 1a2434ffeb..92875c810d 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -25,14 +25,15 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 11 security baseline
-
+ - Windows 11, version 22H2
+ - Windows 11, version 21H2
- Windows 10 security baselines
- - Windows 10 Version 21H2
- - Windows 10 Version 21H1
- - Windows 10 Version 20H2
- - Windows 10 Version 1809
- - Windows 10 Version 1607
- - Windows 10 Version 1507
+ - Windows 10, version 21H2
+ - Windows 10, version 21H1
+ - Windows 10, version 20H2
+ - Windows 10, version 1809
+ - Windows 10, version 1607
+ - Windows 10, version 1507
- Windows Server security baselines
- Windows Server 2022
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index dc42004f13..6a59ce9b38 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,6 +11,8 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
+ - name: What's new in Windows 11, version 22H2
+ href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
items:
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png b/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png
new file mode 100644
index 0000000000..a68a8d0888
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png differ
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index d71d316113..f915846669 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -362,7 +362,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
### Privacy
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 159845ee44..1067c47c88 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -155,7 +155,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
### Privacy
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
new file mode 100644
index 0000000000..0af8ec6113
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -0,0 +1,120 @@
+---
+title: What's new in Windows 11, version 22H2 for IT pros
+description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+manager: dougeby
+ms.prod: w10
+ms.author: mstewart
+author: mestew
+ms.localizationpriority: medium
+ms.topic: article
+ms.collection: highpri
+ms.custom: intro-overview
+---
+
+# What's new in Windows 11, version 22H2
+
+**Applies to**: Windows 11, version 22H2
+
+Windows 11, version 22H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version. This article lists the new and updated features IT Pros should know.
+
+Windows 11, version 22H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
+
+- **Windows 11 Pro**: Serviced for 24 months from the release date.
+- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
+
+Windows 11, version 22H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 22H2 update](https://aka.ms/W11/how-to-get-22H2). Review the [Windows 11, version 22H2 Windows IT Pro blog post](https://aka.ms/new-in-22H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
+
+
+To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Microsoft Pluton
+
+Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+
+For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor).
+
+## Enhanced Phishing Protection
+
+**Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** helps protect Microsoft school or work passwords against phishing and unsafe usage on websites and in applications. Enhanced Phishing Protection works alongside Windows security protections to help protect Windows 11 work or school sign-in passwords.
+
+For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog.
+
+## Smart App Control
+
+**Smart App Control** adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. **Smart App Control** also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
+
+For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control).
+
+## Credential Guard
+
+Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
+
+For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
+
+## Malicious and vulnerable driver blocking
+
+The vulnerable driver blocklist is automatically enabled on devices for the following two new conditions:
+- When Smart App Control is enabled
+- For clean installs of Windows
+
+For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).
+
+## Security hardening and threat protection
+
+Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
+
+For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json).
+
+## Personal Data Encryption
+
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+
+For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
+
+## WebAuthn APIs support ECC
+
+Elliptic-curve cryptography (ECC) is now supported by WebAuthn APIs for Windows 11, version 22H2 clients.
+
+For more information, see [WebAuthn APIs for passwordless authentication on Windows](/windows/security/identity-protection/hello-for-business/webauthn-apis).
+
+## Stickers for Windows 11 SE, version 22H2
+
+Starting in Windows 11 SE, version 22H2, **Stickers** is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
+
+For more information, see [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers).
+
+## Education themes
+
+Starting in Windows 11, version 22H2, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings. Students can choose their own themes, making it feel the device is their own.
+
+For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
+
+## Windows Update notifications
+
+
+The following items were added for Windows Update notifications:
+
+- You can now block user notifications for Windows Updates during active hours. This setting is especially useful for educational organizations that want to prevent Windows Update notifications from occurring during class time. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).
+
+- The organization name now appears in the Windows Update notifications when Windows clients are associated with an Azure Active Directory tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name).
+
+## Start menu layout
+
+Windows 11, version 22H2 now supports additional CSPs for customizing the start menu layout. These CSPs allow you to hide the app list and disable context menus.
+
+For more information, see [Supported configuration service provider (CSP) policies for Windows 11 Start menu](/windows/configuration/supported-csp-start-menu-layout-windows#existing-windows-csp-policies-that-windows-11-supports).
+
+## Improvements to task manager
+
+- A new command bar was added to each page to give access to common actions
+- Task Manager will automatically match the system wide theme configured in **Windows Settings**
+- Added an efficiency mode that allows you to limit the resource usage of a process
+- Updated the user experience for Task Manager
+
+## Windows accessibility
+
+Windows 11, version 22H2, includes additional improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
+
+For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros).
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index ec5cd6f23f..19c319c011 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -2,12 +2,14 @@
title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+author: mestew
+ms.author: mstewart
+ms.prod: windows-client
+ms.date: 09/20/2022
+ms.technology: itpro-fundamentals
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: overview
ms.collection: highpri
ms.custom: intro-overview
---
@@ -100,6 +102,12 @@ For more information on the security features you can configure, manage, and enf
You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
+ Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch.
+
+ :::image type="content" source="images/windows-11-whats-new/windows-11-22h2-snap-layouts.png" alt-text="In Windows 11, version 22H2, activate snap layouts by dragging a window to the top of the screen.":::
+
+ For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
+
- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11).