diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 723d827b23..49135c37f0 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6538,7 +6538,7 @@ { "source_path": "windows/access-protection/access-control/dynamic-access-control.md", "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/access-protection/access-control/local-accounts.md", @@ -6635,6 +6635,86 @@ "redirect_url": "/education/windows/switch-to-pro-education", "redirect_document_id": false }, + { + "source_path": "windows/client-management/administrative-tools-in-windows-10.md", + "redirect_url": "/windows/client-management/client-tools/administrative-tools-in-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/change-default-removal-policy-external-storage-media.md", + "redirect_url": "/windows/client-management/client-tools/change-default-removal-policy-external-storage-media", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/connect-to-remote-aadj-pc.md", + "redirect_url": "/windows/client-management/client-tools/connect-to-remote-aadj-pc", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/group-policies-for-enterprise-and-education-editions.md", + "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-device-installation-with-group-policy.md", + "redirect_url": "/windows/client-management/client-tools/manage-device-installation-with-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-settings-app-with-group-policy.md", + "redirect_url": "/windows/client-management/client-tools/manage-settings-app-with-group-policy", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mandatory-user-profile.md", + "redirect_url": "/windows/client-management/client-tools/mandatory-user-profile", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/new-policies-for-windows-10.md", + "redirect_url": "https://www.microsoft.com/en-us/search/explore?q=Group+Policy+Settings+Reference+Spreadsheet", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/quick-assist.md", + "redirect_url": "/windows/client-management/client-tools/quick-assist", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/windows-libraries.md", + "redirect_url": "/windows/client-management/client-tools/windows-libraries", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/windows-version-search.md", + "redirect_url": "/windows/client-management/client-tools/windows-version-search", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/manage-corporate-devices.md", + "redirect_url": "/windows/client-management/manage-windows-10-in-your-organization-modern-management", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md", + "redirect_url": "/azure/active-directory/fundamentals/active-directory-access-create-new-tenant", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/register-your-free-azure-active-directory-subscription.md", + "redirect_url": "/microsoft-365/compliance/use-your-free-azure-ad-subscription-in-office-365", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/appv-deploy-and-config.md", + "redirect_url": "/windows/application-management/app-v/appv-for-windows", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/diagnose-mdm-failures-in-windows-10.md", + "redirect_url": "/windows/client-management/mdm-collect-logs", + "redirect_document_id": false + }, { "source_path": "windows/client-management/mdm/policy-admx-backed.md", "redirect_url": "/windows/client-management/mdm/policy-configuration-service-provider", @@ -19313,22 +19393,22 @@ { "source_path": "windows/deployment/update/change-history-for-update-windows-10.md", "redirect_url": "/windows/deployment/deploy-whats-new", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-csp-admx-windowsanytimeupgrade.md", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-wordwheel", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-csp-admx-windowsfileprotection.md", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-mobilepcpresentationsettings", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md", @@ -19338,7 +19418,7 @@ { "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md", "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md", @@ -19348,7 +19428,7 @@ { "source_path": "windows/privacy/manage-windows-1709-endpoints.md", "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/privacy/manage-windows-1803-endpoints.md", @@ -19772,7 +19852,7 @@ }, { "source_path": "windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md", - "redirect_url": "/windows/client-management/diagnose-mdm-failures-in-windows-10", + "redirect_url": "/windows/client-management/mdm-collect-logs", "redirect_document_id": false }, { @@ -20343,27 +20423,27 @@ { "source_path": "windows/deployment/windows-autopatch/prepare/index.md", "redirect_url": "/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/deploy/index.md", "redirect_url": "/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/index.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md", "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-preview-addendum.md", "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md", @@ -20378,7 +20458,7 @@ { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md", @@ -20428,12 +20508,12 @@ { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md", @@ -20463,17 +20543,17 @@ { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-provision", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md", "redirect_url": "/windows/configuration/provisioning-packages/provision-pcs-with-apps", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/configuration/cortana-at-work/cortana-at-work-crm.md", @@ -20493,7 +20573,7 @@ { "source_path": "windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md", "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard-protection-limits", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md", @@ -20518,7 +20598,7 @@ { "source_path": "windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md", "redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md", @@ -20533,92 +20613,92 @@ { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md", "redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md", "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policy-ddf-file.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/applocker-xsd.md", "redirect_url": "/windows/client-management/mdm/applocker-csp#policy-xsd-schema", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/vpnv2-profile-xsd.md", "redirect_url": "/windows/client-management/mdm/vpnv2-csp#profilexml-xsd-schema", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md", "redirect_url": "/windows/client-management/mdm/enterprisedesktopappmanagement-csp#downloadinstall-xsd-schema", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/enterprisemodernappmanagement-xsd.md", "redirect_url": "/windows/client-management/mdm/enterprisemodernappmanagement-csp#enterprisemodernappmanagement-xsd", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "education/windows/education-scenarios-store-for-business.md", @@ -20638,11 +20718,6 @@ { "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", - "redirect_document_id": true - }, - { - "source_path": "windows/security/information-protection/tpm/change-the-tpm-owner-password.md", - "redirect_url": "/windows/security", "redirect_document_id": false }, { @@ -20660,16 +20735,6 @@ "redirect_url": "/windows/security", "redirect_document_id": false }, - { - "source_path": "windows/security/information-protection/tpm/manage-tpm-commands.md", - "redirect_url": "/windows/security", - "redirect_document_id": false - }, - { - "source_path": "windows/security/information-protection/tpm/manage-tpm-lockout.md", - "redirect_url": "/windows/security", - "redirect_document_id": false - }, { "source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md", "redirect_url": "/windows/security", @@ -20734,11 +20799,11 @@ "source_path": "windows/deployment/update/quality-updates.md", "redirect_url": "/windows/deployment/update/release-cycle", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md", "redirect_url": "/windows/deployment/windows-autopatch/overview/windows-autopatch-privacy", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "store-for-business/sign-up-microsoft-store-for-business.md", diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index 2205218007..a11a957513 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -56,7 +56,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ] }, "fileMetadata": {}, diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index ed0fa381c5..ef83e85701 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -47,7 +47,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ] }, "externalReference": [], diff --git a/education/docfx.json b/education/docfx.json index 9297b1ed0d..e799728331 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -64,7 +64,8 @@ "dstrome", "v-dihans", "garycentric", - "v-stsavell" + "v-stsavell", + "beccarobins" ] }, "fileMetadata": { @@ -81,4 +82,4 @@ "dest": "education", "markdownEngineName": "markdig" } -} \ No newline at end of file +} diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 195a92eff6..665fb1ee2c 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,6 +2,14 @@ +## Week of April 10, 2023 + + +| Published On |Topic title | Change | +|------|------------|--------| +| 4/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified | + + ## Week of March 20, 2023 @@ -15,41 +23,3 @@ | 3/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | | 3/22/2023 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified | | 3/22/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | - - -## Week of March 06, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 3/8/2023 | Change to Windows 10 Education from Windows 10 Pro | removed | -| 3/8/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | -| 3/8/2023 | Enable S mode on Surface Go devices for Education | removed | -| 3/8/2023 | Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode | removed | -| 3/8/2023 | Test Windows 10 in S mode on existing Windows 10 education devices | removed | -| 3/9/2023 | [Windows for Education documentation](/education/windows/index) | modified | - - -## Week of February 27, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 2/28/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified | -| 2/28/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified | - - -## Week of February 20, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 2/22/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified | -| 2/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | -| 2/22/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified | -| 2/22/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified | -| 2/22/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified | -| 2/23/2023 | Education scenarios Microsoft Store for Education | removed | -| 2/23/2023 | [Get and deploy Minecraft Education](/education/windows/get-minecraft-for-education) | modified | -| 2/23/2023 | For IT administrators get Minecraft Education Edition | removed | -| 2/23/2023 | For teachers get Minecraft Education Edition | removed | diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index b6d4229e8f..087db4abca 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,7 +1,7 @@ --- title: Configure federation between Google Workspace and Azure AD description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. -ms.date: 02/24/2023 +ms.date: 04/04/2023 ms.topic: how-to appliesto: --- @@ -69,54 +69,60 @@ Now that the app is configured, you must enable it for the users in Google Works ## Configure Azure AD as a Service Provider (SP) for Google Workspace The configuration of Azure AD consists of changing the authentication method for the custom DNS domains. This configuration can be done using PowerShell.\ -Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in an elevated PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role. +Using the **IdP metadata** XML file downloaded from Google Workspace, modify the *$DomainName* variable of the following script to match your environment, and then run it in a PowerShell session. When prompted to authenticate to Azure AD, use the credentials of an account with the *Global Administrator* role. ```powershell -Install-Module -Name MSOnline -Import-Module MSOnline +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force +Install-Module Microsoft.Graph -Scope CurrentUser +Import-Module Microsoft.Graph -$DomainName = "" +$domainId = "" $xml = [Xml](Get-Content GoogleIDPMetadata.xml) $cert = -join $xml.EntityDescriptor.IDPSSODescriptor.KeyDescriptor.KeyInfo.X509Data.X509Certificate.Split() $issuerUri = $xml.EntityDescriptor.entityID -$logOnUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location } -$LogOffUri = "https://accounts.google.com/logout" -$brand = "Google Workspace Identity" -Connect-MsolService -$DomainAuthParams = @{ - DomainName = $DomainName - Authentication = "Federated" - IssuerUri = $issuerUri - FederationBrandName = $brand - ActiveLogOnUri = $logOnUri - PassiveLogOnUri = $logOnUri - LogOffUri = $LogOffUri - SigningCertificate = $cert - PreferredAuthenticationProtocol = "SAMLP" +$signinUri = $xml.EntityDescriptor.IDPSSODescriptor.SingleSignOnService | ? { $_.Binding.Contains('Redirect') } | % { $_.Location } +$signoutUri = "https://accounts.google.com/logout" +$displayName = "Google Workspace Identity" +Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All" + +$domainAuthParams = @{ + DomainId = $domainId + IssuerUri = $issuerUri + DisplayName = $displayName + ActiveSignInUri = $signinUri + PassiveSignInUri = $signinUri + SignOutUri = $signoutUri + SigningCertificate = $cert + PreferredAuthenticationProtocol = "saml" + federatedIdpMfaBehavior = "acceptIfMfaDoneByFederatedIdp" } -Set-MsolDomainAuthentication @DomainAuthParams + +New-MgDomainFederationConfiguration @domainAuthParams ``` To verify that the configuration is correct, you can use the following PowerShell command: ```powershell -Get-MsolDomainFederationSettings -DomainName $DomainName +Get-MgDomainFederationConfiguration -DomainId $domainId |fl ``` ```output -ActiveLogOnUri : https://accounts.google.com/o/saml2/idp? -DefaultInteractiveAuthenticationMethod : -FederationBrandName : Google Workspace Identity -IssuerUri : https://accounts.google.com/o/saml2?idpid= -LogOffUri : https://accounts.google.com/logout -MetadataExchangeUri : -NextSigningCertificate : -OpenIdConnectDiscoveryEndpoint : -PassiveLogOnUri : https://accounts.google.com/o/saml2/idp?idpid= -SigningCertificate : -SupportsMfa : +ActiveSignInUri : https://accounts.google.com/o/saml2/idp?idpid= +DisplayName : Google Workspace Identity +FederatedIdpMfaBehavior : acceptIfMfaDoneByFederatedIdp +Id : 3f600dce-ab37-4798-9341-ffd34b147f70 +IsSignedAuthenticationRequestRequired : +IssuerUri : https://accounts.google.com/o/saml2?idpid= +MetadataExchangeUri : +NextSigningCertificate : +PassiveSignInUri : https://accounts.google.com/o/saml2/idp?idpid= +PreferredAuthenticationProtocol : saml +PromptLoginBehavior : +SignOutUri : https://accounts.google.com/logout +SigningCertificate : +AdditionalProperties : {} ``` ## Verify federated authentication between Google Workspace and Azure AD diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 28ba477eec..326c71ca59 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -1,7 +1,7 @@ --- title: Configure federated sign-in for Windows devices description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages. -ms.date: 03/15/2023 +ms.date: 04/11/2023 ms.topic: how-to appliesto: - ✅ Windows 11 @@ -146,11 +146,16 @@ In a scenario where a user is federated and you want to change the ImmutableId, Here's a PowerShell example to update the ImmutableId for a federated user: ```powershell +Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser -Force +Install-Module Microsoft.Graph -Scope CurrentUser +Import-Module Microsoft.Graph +Connect-MgGraph -Scopes 'User.Read.All', 'User.ReadWrite.All' + #1. Convert the user from federated to cloud-only -Get-AzureADUser -SearchString alton@example.com | Set-AzureADUser -UserPrincipalName alton@example.onmicrosoft.com +Update-MgUser -UserId alton@example.com -UserPrincipalName alton@example.onmicrosoft.com #2. Convert the user back to federated, while setting the immutableId -Get-AzureADUser -SearchString alton@example.onmicrosoft.com | Set-AzureADUser -UserPrincipalName alton@example.com -ImmutableId '260051' +Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@example.com -OnPremisesImmutableId '260051' ``` ## Troubleshooting diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index f9adaaae34..44eea6b076 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -96,6 +96,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | | `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` | | `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | +| `DigiExam` | 14.0.6 | Win32 | `Digiexam` | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | @@ -103,6 +104,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `EasyReader` | 10.0.3.481 | Win32 | `Dolphin Computer Access` | | `Epson iProjection` | 3.31 | Win32 | `Epson` | | `eTests` | 4.0.25 | Win32 | `CASAS` | +| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` | | `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` | | `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` | | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | @@ -126,7 +128,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` | | `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` | | `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` | -| `NAPLAN` | 2.5.0 | Win32 | `NAP` | +| `NAPLAN` | 5.2.2 | Win32 | `NAP` | | `Netref Student` | 23.1.0 | Win32 | `NetRef` | | `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` | | `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` | @@ -149,7 +151,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us |`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | -| `WordQ` | 5.4.23 | Win32 | `WordQ` | +| `WordQ` | 5.4.29 | Win32 | `WordQ` | | `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` | | `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` | | `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` | diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md index e4d5e9ef2e..82df7d4d32 100644 --- a/store-for-business/acquire-apps-microsoft-store-for-business.md +++ b/store-for-business/acquire-apps-microsoft-store-for-business.md @@ -16,7 +16,7 @@ ms.date: 07/21/2021 # Acquire apps in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/add-profile-to-devices.md b/store-for-business/add-profile-to-devices.md index d2cf5a3906..18af34875e 100644 --- a/store-for-business/add-profile-to-devices.md +++ b/store-for-business/add-profile-to-devices.md @@ -19,7 +19,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Windows Autopilot simplifies device set up for IT Admins. For an overview of benefits, scenarios, and prerequisites, see [Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-10-autopilot). diff --git a/store-for-business/app-inventory-management-microsoft-store-for-business.md b/store-for-business/app-inventory-management-microsoft-store-for-business.md index 926aa750f9..2d0ea132bc 100644 --- a/store-for-business/app-inventory-management-microsoft-store-for-business.md +++ b/store-for-business/app-inventory-management-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: App inventory management for Microsoft Store for Business and Microsoft S description: You can manage all apps that you've acquired on your Apps & Software page. ms.assetid: 44211937-801B-4B85-8810-9CA055CDB1B2 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.date: 07/21/2021 --- @@ -20,7 +20,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage all apps that you've acquired on your **Apps & software** page. This page shows all of the content you've acquired, including apps that from Microsoft Store, and line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Apps & software** page. On the **New LOB apps** tab, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role. diff --git a/store-for-business/apps-in-microsoft-store-for-business.md b/store-for-business/apps-in-microsoft-store-for-business.md index 661d98861a..4fc8e74159 100644 --- a/store-for-business/apps-in-microsoft-store-for-business.md +++ b/store-for-business/apps-in-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Apps in Microsoft Store for Business and Education (Windows 10) description: Microsoft Store for Business has thousands of apps from many different categories. ms.assetid: CC5641DA-3CEA-4950-AD81-1AF1AE876926 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education has thousands of apps from many different categories. diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index c296c8f37d..eda2a2947c 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -3,12 +3,12 @@ title: Assign apps to employees (Windows 10) description: Administrators can assign online-licensed apps to employees and students in their organization. ms.assetid: A0DF4EC2-BE33-41E1-8832-DBB0EBECA31A ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization. diff --git a/store-for-business/billing-payments-overview.md b/store-for-business/billing-payments-overview.md index 5205cbadba..20e16f502d 100644 --- a/store-for-business/billing-payments-overview.md +++ b/store-for-business/billing-payments-overview.md @@ -5,19 +5,19 @@ keywords: billing, payment methods, invoices, credit card, debit card ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Billing and payments > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Access invoices and managed your payment methods. diff --git a/store-for-business/billing-profile.md b/store-for-business/billing-profile.md index 82581997ea..4e3c7fe14e 100644 --- a/store-for-business/billing-profile.md +++ b/store-for-business/billing-profile.md @@ -5,19 +5,19 @@ keywords: billing profile, invoices, charges, managed charges ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: trudyha -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Understand billing profiles > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customize what products are included on your invoice, and how you pay your invoices. diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md index e500732cc9..a791f8acf8 100644 --- a/store-for-business/billing-understand-your-invoice-msfb.md +++ b/store-for-business/billing-understand-your-invoice-msfb.md @@ -4,19 +4,19 @@ description: Learn how to read and understand your MCA bill ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: trudyha -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Understand your Microsoft Customer Agreement invoice > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The invoice provides a summary of your charges and provides instructions for payment. It's available for download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements). diff --git a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md index 190b9be3e6..5455d2c9bd 100644 --- a/store-for-business/configure-mdm-provider-microsoft-store-for-business.md +++ b/store-for-business/configure-mdm-provider-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Configure an MDM provider (Windows 10) description: For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. ms.assetid: B3A45C8C-A96C-4254-9659-A9B364784673 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Microsoft Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index b443e48e71..1e190dcb69 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -3,12 +3,12 @@ title: Distribute apps using your private store (Windows 10) description: The private store is a feature in Microsoft Store for Business and Microsoft Store for Education that organizations receive during the signup process. ms.assetid: C4644035-845C-4C84-87F0-D87EA8F5BA19 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the signup process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Microsoft Store app, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. diff --git a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md index 7f88c7212e..8433314401 100644 --- a/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Distribute apps to your employees from the Microsoft Store for Business a description: Distribute apps to your employees from Microsoft Store for Business or Microsoft Store for Education. You can assign apps to employees,or let employees install them from your private store. ms.assetid: E591497C-6DFA-49C1-8329-4670F2164E9E ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Distribute apps to your employees from Microsoft Store for Business and Microsoft Store for Education. You can assign apps to employees, or let employees install them from your private store. diff --git a/store-for-business/distribute-apps-with-management-tool.md b/store-for-business/distribute-apps-with-management-tool.md index 90e4939804..acc2c676ee 100644 --- a/store-for-business/distribute-apps-with-management-tool.md +++ b/store-for-business/distribute-apps-with-management-tool.md @@ -3,12 +3,12 @@ title: Distribute apps with a management tool (Windows 10) description: You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. ms.assetid: 006F5FB1-E688-4769-BD9A-CFA6F5829016 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can configure a mobile device management (MDM) tool to synchronize your Microsoft Store for Business or Microsoft Store for Education inventory. Microsoft Store management tool services work with MDM tools to manage content. diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 765f0b39ce..2087832b3c 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -3,12 +3,12 @@ title: Distribute offline apps (Windows 10) description: Offline licensing is a new licensing option for Windows 10. ms.assetid: 6B9F6876-AA66-4EE4-A448-1371511AC95E ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index c0b85a8a1d..30a7c3e475 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -65,7 +65,8 @@ "dstrome", "v-dihans", "garycentric", - "v-stsavell" + "v-stsavell", + "beccarobins" ] }, "fileMetadata": {}, diff --git a/store-for-business/find-and-acquire-apps-overview.md b/store-for-business/find-and-acquire-apps-overview.md index ad4b5f621a..fddbd6d1a8 100644 --- a/store-for-business/find-and-acquire-apps-overview.md +++ b/store-for-business/find-and-acquire-apps-overview.md @@ -3,12 +3,12 @@ title: Find and acquire apps (Windows 10) description: Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. ms.assetid: 274A5003-5F15-4635-BB8B-953953FD209A ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Use the Microsoft Store for Business and Education to find apps for your organization. You can also work with developers to create line-of-business apps that are only available to your organization. diff --git a/store-for-business/index.md b/store-for-business/index.md index 369336371c..ca868bf64c 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -20,7 +20,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Welcome to the Microsoft Store for Business and Education! You can use Microsoft Store to find, acquire, distribute, and manage apps for your organization or school. diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 2b8c3e26f4..cbf743165b 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -3,12 +3,12 @@ title: Manage access to private store (Windows 10) description: You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. ms.assetid: 4E00109C-2782-474D-98C0-02A05BE613A5 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.date: 07/21/2021 --- @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. diff --git a/store-for-business/manage-apps-microsoft-store-for-business-overview.md b/store-for-business/manage-apps-microsoft-store-for-business-overview.md index 706e1bc726..b8a4cd5717 100644 --- a/store-for-business/manage-apps-microsoft-store-for-business-overview.md +++ b/store-for-business/manage-apps-microsoft-store-for-business-overview.md @@ -3,12 +3,12 @@ title: Manage products and services in Microsoft Store for Business (Windows 10) description: Manage apps, software, devices, products and services in Microsoft Store for Business. ms.assetid: 2F65D4C3-B02C-41CC-92F0-5D9937228202 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Manage products and services in Microsoft Store for Business and Microsoft Store for Education. This includes apps, software, products, devices, and services available under **Products & services**. diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index dfc9b3d00d..39c2d0520f 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -4,19 +4,19 @@ description: You can view your order history with Microsoft Store for Business o ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Manage app orders in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). After you've acquired apps, you can review order information and invoices on **Order history**. On this page, you can view invoices, and request refunds. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 218f2b5aac..9774d11faa 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -3,12 +3,12 @@ title: Manage private store settings (Windows 10) description: The private store is a feature in the Microsoft Store for Business and Microsoft Store for Education that organizations receive during the sign up process. ms.assetid: 2D501538-0C6E-4408-948A-2BF5B05F7A0C ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.date: 07/21/2021 ms.localizationpriority: medium @@ -21,7 +21,7 @@ ms.localizationpriority: medium - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. diff --git a/store-for-business/manage-settings-microsoft-store-for-business.md b/store-for-business/manage-settings-microsoft-store-for-business.md index e3d9147262..2de4be35a0 100644 --- a/store-for-business/manage-settings-microsoft-store-for-business.md +++ b/store-for-business/manage-settings-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Manage settings for Microsoft Store for Business and Microsoft Store for description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. diff --git a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md index 36ec4938f9..37984bc540 100644 --- a/store-for-business/manage-users-and-groups-microsoft-store-for-business.md +++ b/store-for-business/manage-users-and-groups-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Manage user accounts in Microsoft Store for Business and Microsoft Store description: Microsoft Store for Business and Microsoft Store for Education manages permissions with a set of roles. Currently, you can assign these roles to individuals in your organization, but not to groups. ms.assetid: 5E7FA071-CABD-4ACA-8AAE-F549EFCE922F ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md), but not to groups. diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md index 3318a1ca0c..f0412f4df6 100644 --- a/store-for-business/microsoft-store-for-business-education-powershell-module.md +++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md @@ -4,13 +4,13 @@ description: Preview version of PowerShell module ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Microsoft Store for Business and Education PowerShell module - preview @@ -19,7 +19,7 @@ manager: dansimp - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education PowerShell module (preview) is now available on [PowerShell Gallery](https://go.microsoft.com/fwlink/?linkid=853459). diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md index a7009160fa..9fcfcf5343 100644 --- a/store-for-business/microsoft-store-for-business-overview.md +++ b/store-for-business/microsoft-store-for-business-overview.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/notifications-microsoft-store-business.md b/store-for-business/notifications-microsoft-store-business.md index 264f2228e9..a24ce1c761 100644 --- a/store-for-business/notifications-microsoft-store-business.md +++ b/store-for-business/notifications-microsoft-store-business.md @@ -4,12 +4,12 @@ description: Notifications alert you to issues or outages with Microsoft Store f keywords: notifications, alerts ms.assetid: ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -23,7 +23,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Microsoft Store for Education use a set of notifications to alert admins if there is an issue or outage with Microsoft Store. diff --git a/store-for-business/payment-methods.md b/store-for-business/payment-methods.md index b56a2ebe5e..385ad90405 100644 --- a/store-for-business/payment-methods.md +++ b/store-for-business/payment-methods.md @@ -5,19 +5,19 @@ keywords: payment method, credit card, debit card, add credit card, update payme ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: trudyha -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Payment methods > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards: - VISA diff --git a/store-for-business/prerequisites-microsoft-store-for-business.md b/store-for-business/prerequisites-microsoft-store-for-business.md index 0dd6457beb..2590dfa2e5 100644 --- a/store-for-business/prerequisites-microsoft-store-for-business.md +++ b/store-for-business/prerequisites-microsoft-store-for-business.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md index e1fd90b393..73feb2d130 100644 --- a/store-for-business/release-history-microsoft-store-business-education.md +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -4,18 +4,18 @@ description: Know the release history of Microsoft Store for Business and Micros ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # Microsoft Store for Business and Education release history > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases. diff --git a/store-for-business/roles-and-permissions-microsoft-store-for-business.md b/store-for-business/roles-and-permissions-microsoft-store-for-business.md index 1ca0ec4692..946185e95a 100644 --- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md +++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md @@ -22,7 +22,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). > [!IMPORTANT] > Starting on April 14th, 2021, only free apps will be available in Microsoft Store for Business and Education. For more information, see [Microsoft Store for Business and Education](index.md). diff --git a/store-for-business/settings-reference-microsoft-store-for-business.md b/store-for-business/settings-reference-microsoft-store-for-business.md index f29dace9ef..ac0d610bae 100644 --- a/store-for-business/settings-reference-microsoft-store-for-business.md +++ b/store-for-business/settings-reference-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Settings reference Microsoft Store for Business and Education (Windows 10 description: The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. ms.assetid: 34F7FA2B-B848-454B-AC00-ECA49D87B678 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -17,7 +17,7 @@ ms.date: 07/21/2021 # Settings reference: Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. diff --git a/store-for-business/sign-up-microsoft-store-for-business-overview.md b/store-for-business/sign-up-microsoft-store-for-business-overview.md index 4c4e855373..4f76aa0558 100644 --- a/store-for-business/sign-up-microsoft-store-for-business-overview.md +++ b/store-for-business/sign-up-microsoft-store-for-business-overview.md @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps. diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md index f9154689ca..aaca08aa79 100644 --- a/store-for-business/troubleshoot-microsoft-store-for-business.md +++ b/store-for-business/troubleshoot-microsoft-store-for-business.md @@ -3,12 +3,12 @@ title: Troubleshoot Microsoft Store for Business (Windows 10) description: Troubleshooting topics for Microsoft Store for Business. ms.assetid: 243755A3-9B20-4032-9A77-2207320A242A ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Troubleshooting topics for Microsoft Store for Business. diff --git a/store-for-business/update-microsoft-store-for-business-account-settings.md b/store-for-business/update-microsoft-store-for-business-account-settings.md index 78cd7532b8..f5df17e875 100644 --- a/store-for-business/update-microsoft-store-for-business-account-settings.md +++ b/store-for-business/update-microsoft-store-for-business-account-settings.md @@ -5,19 +5,18 @@ keywords: billing accounts, organization info ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 -ms.reviewer: -manager: dansimp --- # Update Billing account settings > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). A billing account contains defining information about your organization. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index bc329afe4d..576ecfa0c1 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -4,18 +4,18 @@ description: Learn about newest features in Microsoft Store for Business and Mic ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.date: 07/21/2021 ms.reviewer: -manager: dansimp --- # What's new in Microsoft Store for Business and Education > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Microsoft Store for Business and Education regularly releases new and improved features. diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index 0a71365353..18759b0928 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -3,12 +3,12 @@ title: Working with line-of-business apps (Windows 10) description: Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your organization – they might be internal business apps, or apps specific to your school, business, or industry. ms.assetid: 95EB7085-335A-447B-84BA-39C26AEB5AC7 ms.reviewer: -manager: dansimp ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store -author: TrudyHa -ms.author: TrudyHa +ms.author: cmcatee +author: cmcatee-MSFT +manager: scotv ms.topic: conceptual ms.localizationpriority: medium ms.date: 07/21/2021 @@ -21,7 +21,7 @@ ms.date: 07/21/2021 - Windows 10 > [!IMPORTANT] -> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286). Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry. diff --git a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md index 5c38053e2b..fa7f9d3364 100644 --- a/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md +++ b/windows/application-management/app-v/appv-release-notes-for-appv-for-windows.md @@ -18,17 +18,17 @@ ms.technology: itpro-apps The following are known issues and workarounds for Application Virtualization (App-V) running on Windows 10, version 1607. ## Windows Installer packages (.msi files) generated by the App-V sequencer (version 5.1 and earlier) fail to install on computers with the in-box App-V client -There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the pre-requisite check fails and causes the MSI to fail. +There are MSI packages generated by an App-V sequencer from previous versions of App-V (Versions 5.1 and earlier). These packages include a check to validate whether the App-V client is installed on client devices, before allowing the MSI package to be installed. As the App-V client gets installed automatically when you upgrade user devices to Windows 10, version 1607, the prerequisite check fails and causes the MSI to fail. **Workaround**: -1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md). +1. Install the latest App-V sequencer, which you can get from the Windows Assessment and Deployment Kit (ADK) for Windows 10, version 1607. See [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information, see [Install the App-V Sequencer](appv-install-the-sequencer.md). 2. Ensure that you've installed the **MSI Tools** included in the Windows 10 SDK, available as follows: - - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/en-us/windows/downloads). + - For the **Visual Studio Community 2015 with Update 3** client, which includes the latest Windows 10 SDK and developer tools, see [Downloads and tools for Windows 10](https://developer.microsoft.com/windows/downloads). - - For the standalone Windows 10 SDK without other tools, see [Standalone Windows 10 SDK](https://developer.microsoft.com/en-US/windows/downloads/windows-10-sdk). + - For the standalone Windows 10 SDK without other tools, see [Standalone Windows SDK](https://developer.microsoft.com/windows/downloads/windows-sdk). 3. Copy msidb.exe from the default path of the Windows SDK installation (**C:\Program Files (x86)\Windows Kits\10**) to a different directory. For example: **C:\MyMsiTools\bin** @@ -36,7 +36,7 @@ There are MSI packages generated by an App-V sequencer from previous versions of <Windows Kits 10 installation folder>**\Microsoft Application Virtualization\Sequencer\\** - By default, this path will be:
**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** + By default, this path is:
**C:\Program Files (x86)\Windows Kits\10\Microsoft Application Virtualization\Sequencer** 5. Run the following command: @@ -51,7 +51,7 @@ An error is generated during publishing refresh when synchronizing packages from **Workaround**: Upgrade the App-V 5.0 Management server to the App-V Management server for Windows 10 Clients. ## Custom configurations don't get applied for packages that will be published globally if they're set using the App-V Server -If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client will publish packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages won't have access to this custom configuration. +If you assign a package to an AD group that contains machine accounts and apply a custom configuration to that group using the App-V Server, the custom configuration won't be applied to those machines. The App-V Client publishes packages assigned to a machine account globally. However, it stores custom configuration files per user in each user’s profile. Globally published packages won't have access to this custom configuration. **Workaround**: Implement one of the following tasks: @@ -69,23 +69,23 @@ If you uninstall the App-V 5.0 SP1 Server and then install the App-V Server, the Under HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall, locate and delete the installation GUID key that contains the DWORD value "DisplayName" with value data "Microsoft Application Virtualization (App-V) Server". This is the only key that should be deleted. -## File type associations added manually are not saved correctly +## File type associations added manually aren't saved correctly File type associations added to an application package manually using the Shortcuts and FTAs tab at the end of the application upgrade wizard aren't saved correctly. They won't be available to the App-V Client or to the Sequencer when updating the saved package again. -**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer will detect the new association in the system registry and add it to the package’s virtual registry, where it will be available to the client. +**Workaround**: To add a file type association, open the package for modification and run the update wizard. During the Installation step, add the new file type association through the operating system. The sequencer detects the new association in the system registry and adds it to the package’s virtual registry, where it is available to the client. -## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, additional data is written to the local disk. +## When streaming packages in Shared Content Store (SCS) mode to a client that is also managed with AppLocker, extra data is written to the local disk. To decrease the amount of data written to a client’s local disk, you can enable SCS mode on the App-V Client to stream the contents of a package on demand. However, if AppLocker manages an application within the package, some data might be written to the client’s local disk that wouldn't otherwise be written. **Workaround**: None -## In the Management Console Add Package dialog box, the Browse button is not available when using Chrome or Firefox +## In the Management Console Add Package dialog box, the Browse button isn't available when using Chrome or Firefox -On the Packages page of the Management Console, if you click **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you're accessing the Management Console using Chrome or Firefox as your browser, you will not be able to browse to the location of the package. +On the Packages page of the Management Console, if you select **Add or Upgrade** in the lower-right corner, the **Add Package** dialog box appears. If you're accessing the Management Console using Chrome or Firefox as your browser, you won't be able to browse to the location of the package. -**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you will be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps: +**Workaround**: Type or copy and paste the path to the package into the **Add Package** input field. If the Management Console has access to this path, you'll be able to add the package. If the package is on a network share, you can browse to the location using File Explorer by doing these steps: 1. While pressing **Shift**, right-click on the package file @@ -102,10 +102,10 @@ If you install the App-V 5.0 SP1 Management Server, and then try to upgrade to A where “AppVManagement” is the name of the database. -## Users cannot open a package in a user-published connection group if you add or remove an optional package -In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users cannot open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group. +## Users can't open a package in a user-published connection group if you add or remove an optional package +In environments that are running the RDS Client or that have multiple concurrent users per computer, logged-in users can't open applications in packages that are in a user-published connection group if an optional package is added to or removed from the connection group. -**Workaround**: Have users log out and then log back in. +**Workaround**: Have users sign out and then log back in. ## Error message is erroneously displayed when the connection group is published only to the user When you run Repair-AppvClientConnectionGroup, the following error is displayed, even when the connection group is published only to the user: “Internal App-V Integration error: Package not integrated for the user. Ensure that the package is added to the machine and published to the user.” @@ -114,7 +114,7 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, - Publish all packages in a connection group. - The problem arises when the connection group being repaired has packages that are missing or not available to the user (that is, not published globally or to the user). However, the repair will work if all of the connection group’s packages are available, so ensure that all packages are published. + The problem arises when the connection group being repaired has packages that are missing or not available to the user (that is, not published globally or to the user). However, the repair works if all of the connection group’s packages are available, so ensure that all packages are published. - Repair packages individually using the Repair-AppvClientPackage command rather than the Repair-AppvClientConnectionGroup command. @@ -128,22 +128,22 @@ When you run Repair-AppvClientConnectionGroup, the following error is displayed, ## Icons not displayed properly in Sequencer -Icons in the Shortcuts and File Type Associations tab are not displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons is not 16x16 or 32x32. +Icons in the Shortcuts and File Type Associations tab aren't displayed correctly when modifying a package in the App-V Sequencer. This problem occurs when the size of the icons isn't 16x16 or 32x32. **Workaround**: Only use icons that are 16x16 or 32x32. ## InsertVersionInfo.sql script no longer required for the Management Database -The InsertVersionInfo.sql script is not required for versions of the App-V management database later than App-V 5.0 SP3. +The InsertVersionInfo.sql script isn't required for versions of the App-V management database later than App-V 5.0 SP3. ## Microsoft Visual Studio 2012 not supported App-V doesn't support Visual Studio 2012. **Workaround**: Use a newer version of Microsoft Visual Studio. -Currently, Visual Studio 2012 doesn't support app virtualization, whether using Microsoft App-V or third party solutions such as VMWare ThinApp. While it is possible you might find that Visual Studio works well enough for your purposes when running within one of these environments, we are unable to address any bugs or issues found when running in a virtualized environment at this time. +Currently, Visual Studio 2012 doesn't support app virtualization, whether using Microsoft App-V or third party solutions such as VMware ThinApp. While it's possible you might find that Visual Studio works well for your purposes when running within one of these environments, we're unable to address any bugs or issues found when running in a virtualized environment at this time. ## Application filename restrictions for App-V Sequencer -The App-V Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. +The App-V Sequencer can't sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated. **Workaround**: Use a different filename @@ -152,9 +152,9 @@ For information that can help with troubleshooting App-V for Windows 10, see: - [Application Virtualization (App-V): List of Microsoft Support Knowledge Base Articles](https://social.technet.microsoft.com/wiki/contents/articles/14272.app-v-v5-x-list-of-microsoft-support-knowledge-base-articles.aspx) - [The Official Microsoft App-V Team Blog](/archive/blogs/appv/) - [Technical Reference for App-V](./appv-technical-reference.md) -- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) +- [App-V TechNet Forum](https://social.technet.microsoft.com/forums/en-us/home?forum=mdopappv) -
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). +
For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv). Help us to improve diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 523ee3c2d8..e54211075c 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -71,9 +71,9 @@ There are different types of apps that can run on your Windows client devices. T Using an MDM provider, you can create shortcuts to your web apps and progressive web apps on devices. -## Android™️ apps +## Android™️ apps -Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store. +Starting with Windows 11, users in the [Windows Insider program](https://insider.windows.com/) can use the Microsoft Store to search, download, and install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with Android apps, just like others apps installed from the Microsoft Store. For more information, see: @@ -85,7 +85,7 @@ For more information, see: When your apps are ready, you can add or deploy these apps to your Windows devices. This section lists some common options. > [!NOTE] -> Microsoft Store for Business and Microsoft Store for Education will be retired on March 31, 2023. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11. +> The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. Customers may continue to use the current capabilities for free apps until that time. There will be no support for Microsoft Store for Business and Education for Windows 11. >Visit [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution) for more information about the new Microsoft Store experience for both Windows 11 and Windows 10, and learn about other options for getting and managing apps. - **Manually install**: On your devices, users can install apps from the Microsoft Store, from the internet, and from an organization shared drive. These apps, and more, are listed in **Settings** > **Apps** > **Apps and Features**. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 76647fae53..b358bcc686 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -59,7 +59,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ], "searchScope": ["Windows 10"] }, diff --git a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md index 5b0372ddb2..926cb18f47 100644 --- a/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md +++ b/windows/application-management/private-app-repository-mdm-company-portal-windows-11.md @@ -4,7 +4,7 @@ description: Use the Company Portal app in Windows 11 devices to access the priv author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.date: 09/15/2021 +ms.date: 04/04/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps @@ -59,7 +59,7 @@ To install the Company Portal app, you have some options: For more information, see: - [Endpoint Management at Microsoft](/mem/endpoint-manager-overview) - - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-windows) + - [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft) - [What is co-management?](/mem/configmgr/comanage/overview) - [Use the Company Portal app on co-managed devices](/mem/configmgr/comanage/company-portal) diff --git a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md deleted file mode 100644 index 160a97cca0..0000000000 --- a/windows/client-management/add-an-azure-ad-tenant-and-azure-ad-subscription.md +++ /dev/null @@ -1,99 +0,0 @@ ---- -title: Add an Azure AD tenant and Azure AD subscription -description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# Add an Azure AD tenant and Azure AD subscription - -Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. - -> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription) - - -1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. - - ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png) - -2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available. - - ![sign up for azure ad.](images/azure-ad-add-tenant2.png) - -3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**. - - ![create azure account.](images/azure-ad-add-tenant3.png) - -4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**. - - ![add aad tenant.](images/azure-ad-add-tenant3-b.png) - -5. After you finish creating your Azure account, you can add an Azure AD subscription. - - If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). - - ![login to office 365](images/azure-ad-add-tenant4.png) - -6. Select **Install software**. - - ![login to office 365 portal](images/azure-ad-add-tenant5.png) - -7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation. - - ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png) - -8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase. - - ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png) - -9. Continue with your purchase. - - ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png) - -10. After the purchase is completed, you can log on to your Office 365 Admin Portal and you'll see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint and Exchange). - - ![admin center left navigation menu.](images/azure-ad-add-tenant9.png) - - When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. - -## Register your free Azure Active Directory subscription - -If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. - -1. Sign in to the Microsoft 365 admin center at using your organization's account. - - ![register in azuread.](images/azure-ad-add-tenant10.png) - -2. On the **Home** page, select on the Admin tools icon. - - ![register in azure-ad.](images/azure-ad-add-tenant11.png) - -3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This option will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. - - ![register azuread](images/azure-ad-add-tenant12.png) - -4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. - - ![registration in azure-ad](images/azure-ad-add-tenant13.png) - -5. It may take a few minutes to process the request. - - ![registration in azuread.](images/azure-ad-add-tenant14.png) - -6. You'll see a welcome page when the process completes. - - ![register screen of azuread](images/azure-ad-add-tenant15.png) - - - - - - - - diff --git a/windows/client-management/appv-deploy-and-config.md b/windows/client-management/appv-deploy-and-config.md deleted file mode 100644 index f0c9843f27..0000000000 --- a/windows/client-management/appv-deploy-and-config.md +++ /dev/null @@ -1,485 +0,0 @@ ---- -title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server. -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz ---- - -# Deploy and configure App-V apps using MDM - -## Executive summary - -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

- -

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

- -### EnterpriseAppVManagement CSP node structure - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -The following example shows the EnterpriseAppVManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppVManagement -----AppVPackageManagement ---------EnterpriseID -------------PackageFamilyName ----------------PackageFullName -------------------Name -------------------Version -------------------Publisher -------------------InstallLocation -------------------InstallDate -------------------Users -------------------AppVPackageID -------------------AppVVersionId -------------------AppVPackageUri -----AppVPublishing ---------LastSync -------------LastError -------------LastErrorDescription -------------SyncStatusDescription -------------SyncProgress ---------Sync -------------PublishXML -----AppVDynamicPolicy ---------ConfigurationId -------------Policy -``` - -

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.

- -

AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - **AppVPublishing** - - LastSync - - LastError - - LastErrorDescription - - SyncStatusDescription - - SyncProgress - - Sync - - PublishXML - - AppVDynamicPolicy - -

Sync command:

- -[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx) - -

AppVDynamicPolicy - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - AppVPublishing - - **AppVDynamicPolicy** - - [ConfigurationId] - - Policy - -

Dynamic policy examples:

- -[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing) - -

AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

- -- EnterpriseAppVManagement - - **AppVPackageManagement** - - [EnterpriseID] - - [PackageFamilyName] - - [PackageFullName] - - Name - - Version - - Publisher - - InstallLocation - - InstallDate - - Users - - AppVPackageID - - AppVVersionId - - AppVPackageUri - - AppVPublishing - - AppVDynamicPolicy - -

The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.

- -## Scenarios addressed in App-V MDM functionality - -

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

- -

A complete list of App-V policies can be found here:

- -[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md) - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -### SyncML examples - -

The following SyncML examples address specific App-V client scenarios.

- -#### Enable App-V client - -

This example shows how to enable App-V on the device.

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient - - - - -``` - -#### Configure App-V client - -

This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts - - - - -``` - -

Complete list of App-V policies can be found here:

- -[Policy CSP](mdm/policy-configuration-service-provider.md) - -#### SyncML with package published for a device (global to all users for that device) - -

This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device) - -

This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy - - - xml - text/plain - - - - - - - - - - - [{ThisPCDesktopFolder}]\Skype_FromMDM.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - [{Common Desktop}]\Skype_FromMDMAlso.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - - - - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (using user config deployment) published for a specific user - -

This SyncML example shows how to publish a package for a specific MDM user.

- -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - -``` - -#### SyncML for publishing mixed-mode connection group containing global and user-published packages - -

This SyncML example shows how to publish a connection group, and group applications and plugins together.

- -> [!NOTE] -> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group. - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - - - - - - - - -``` - -#### Unpublish example SyncML for all global packages - -

This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML - - - xml - text/plain - - - - - - - - - -``` - -#### Query packages on a device - -

These SyncML examples return all global, and user-published packages on the device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` - -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` \ No newline at end of file diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 5cd9b9cbb6..0bb98be706 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -9,159 +9,94 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 +- highpri +- tier2 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Azure Active Directory integration with MDM -Azure Active Directory is the world's largest enterprise cloud identity management service. It’s used by organizations to access Office 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. +Azure Active Directory is the world's largest enterprise cloud identity management service. It's used by organizations to access Microsoft 365 and business applications from Microsoft and third-party software as a service (SaaS) vendors. Many of the rich Windows experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows integrates with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in an integrated flow. Once a device is enrolled in MDM, the MDM: - Can enforce compliance with organization policies, add or remove apps, and more. -- Can report a device’s compliance in Azure AD. +- Can report a device's compliance in Azure AD. - Azure AD can allow access to organization resources or applications secured by Azure AD to devices that comply with policies. -To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This article describes the steps involved. - -## Connect to Azure AD - -Several ways to connect your devices: - -For company-owned devices: -- Join Windows to a traditional Active Directory domain -- Join Windows to Azure AD - -For personal devices (BYOD): -- Add a Microsoft work account to Windows - -### Azure AD Join - -Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as Microsoft Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. - -Windows 10 introduces a new way to configure and deploy organization owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller. - -Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device won't be joined to Azure AD. - -> [!IMPORTANT] -> Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - - -### BYOD scenario - -Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. +To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. ## Integrated MDM enrollment and UX -Two Azure AD MDM enrollment scenarios: -- Joining a device to Azure AD for company-owned devices -- Adding a work account to a personal device (BYOD) +There are several ways to connect your devices to Azure AD: -In both scenarios, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. +- [Join device to Azure AD](/azure/active-directory/devices/concept-azure-ad-join) +- [Join device to on-premises AD and Azure AD](/azure/active-directory/devices/concept-azure-ad-join-hybrid) +- [Add a Microsoft work account to Windows](/azure/active-directory/devices/concept-azure-ad-register) -In both scenarios, the enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. +In each scenario, Azure AD authenticates the user and the device. It provides a verified unique device identifier that can be used for MDM enrollment. The enrollment flow provides an opportunity for the MDM service to render its own UI, using a web view. MDM vendors should use the UI to render the Terms of Use (TOU), which can be different for company-owned and bring-your-own-device (BYOD) devices. MDM vendors can also use the web view to render more UI elements, such as asking for a one-time PIN. -In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. +In Windows 10, the web view during the out-of-the-box scenario is displayed as full-screen by default, providing MDM vendors with the capability to create a seamless edge-to-edge user experience. However, in Windows 11 the web view is rendered within an iframe. It's important that MDM vendors who integrate with Azure AD respect the Windows design guidelines. This step includes using a responsive web design and respecting the Windows accessibility guidelines. For example, include the forward and back buttons that are properly wired to the navigation logic. More details are provided later in this article. -For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see solution \#2 in [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). +For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service. For more information, see [Configure Azure MFA as authentication provider with AD FS](/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa). -Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. +Once a user has an Azure AD account added to Windows and enrolled in MDM, the enrollment can be managed through **Settings** > **Accounts** > **Access work or school**. Device management of either Azure AD Join for organization scenarios or BYOD scenarios is similar. > [!NOTE] -> Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. +> Users can't remove the device enrollment through the **Access work or school** user interface because management is tied to the Azure AD or work account. - -### MDM endpoints involved in Azure AD–integrated enrollment +### MDM endpoints involved in Azure AD integrated enrollment Azure AD MDM enrollment is a two-step process: -1. Display the Terms of Use and gather user consent. +1. Display the Terms of Use and gather user consent: This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. +1. Enroll the device: This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. - This consent is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. +To support Azure AD enrollment, MDM vendors must host and expose a **Terms of Use endpoint** and an **MDM enrollment endpoint**. -2. Enroll the device. +- **Terms of Use endpoint**: Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user's consent before the actual enrollment phase begins. - This step is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. + It's important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. -To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint. + The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It's not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. -**Terms of Use endpoint** -Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. +- **MDM enrollment endpoint**: After the users accept the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. -It’s important to understand the Terms of Use flow is an "opaque box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL. The user should be redirected back after approving or rejecting the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios. For example, different levels of control are applied on BYOD vs. organization-owned devices. Or, implement user/group based targeting, like users in certain geographies may have stricter device management policies. + The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. -The Terms of Use endpoint can implement more business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which can be a degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. + [![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)](images/azure-ad-enrollment-flow.png#lightbox) -**MDM enrollment endpoint** -After the users accepts the Terms of Use, the device is registered in Azure AD. Automatic MDM enrollment begins. + The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. -The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Then, the device is enrolled for management with the MDM. This step calls the enrollment endpoint and requests enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is available to the MDM in the form of claims within an access token presented at the enrollment endpoint. - -![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png) - -The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this article. - -## Make the MDM a reliable party of Azure AD +## Make MDM a reliable party of Azure AD To participate in the integrated enrollment flow outlined in the previous section, the MDM must consume access tokens issued by Azure AD. To report compliance with Azure AD, the MDM must authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). -### Add a cloud-based MDM +### Cloud-based MDM A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It's a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. -The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661). +The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. For more information about how to add multi-tenant applications to Azure AD, see the [Integrate an app that authenticates users and calls Microsoft Graph using the multi-tenant integration pattern (SaaS)](https://go.microsoft.com/fwlink/p/?LinkId=613661) code sample on GitHub. > [!NOTE] -> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. +> For the MDM provider, if you don't have an existing Azure AD tenant with an Azure AD subscription that you manage, follow the step-by-step guides below: +> +> - [Quickstart: Create a new tenant in Azure Active Directory](/azure/active-directory/fundamentals/active-directory-access-create-new-tenant) to set up a tenant. +> - [Associate or add an Azure subscription to your Azure Active Directory tenant](/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory) to add a subscription, and manage it via the Azure Portal. -The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, whatever the customer tenant the managed device belongs. +The MDM application uses keys to request access tokens from Azure AD. These keys are managed within the tenant of the MDM provider and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, in the customer tenant where the managed device belongs. > [!NOTE] -> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats-and-ownership). +> All MDM apps must implement Azure AD V2 tokens before we certify that integration works. Due to changes in the Azure AD app platform, using Azure AD V2 tokens is a hard requirement. For more information, see [Microsoft identity platform access tokens](/azure/active-directory/develop/access-tokens#token-formats). -Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. +### On-premises MDM -1. Log on to the Azure Management Portal using an admin account in your home tenant. +An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and have a separate key for authentication with Azure AD. -2. In the left navigation, select **Active Directory**. - -3. Select the directory tenant where you want to register the application. - - Ensure you're logged into your home tenant. - -4. Select the **Applications** tab. - -5. In the drawer, select **Add**. - -6. Select **Add an application my organization is developing**. - -7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then select **Next**. - -8. Enter the logon URL for your MDM service. - -9. For the App ID, enter `https:///ContosoMDM`, then select OK. - -10. While still in the Azure portal, select the **Configure** tab of your application. - -11. Mark your application as **multi-tenant**. - -12. Find the client ID value and copy it. - - You'll need this ID later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery. - -13. Generate a key for your application and copy it. - - You need this key to call the Microsoft Graph API to report device compliance. This information is covered in the next section. - -For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). - -### Add an on-premises MDM - -An on-premises MDM application is different than a cloud MDM. It's a single-tenant application that is present uniquely within the tenant of the customer. Customers must add the application directly within their own tenant. Also, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. - -To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application**. Administrators can configure the required URLs for enrollment and Terms of Use. +To add an on-premises MDM application to the tenant, use the Azure AD service, specifically under **Mobility (MDM and MAM)** > **Add application** > **Create your own application**. Administrators can configure the required URLs for enrollment and Terms of Use. Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. @@ -173,24 +108,21 @@ The application keys used by your MDM service are a sensitive resource. They sho For security best practices, see [Windows Azure Security Essentials](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -You can roll over the application keys used by a cloud-based MDM service without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. +For cloud-based MDM, you can roll over the application keys without requiring a customer interaction. There's a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. For the on-premises MDM, the Azure AD authentication keys are within the customer tenant and must be rolled over by the customer's administrator. To improve security, provide guidance to customers about rolling over and protecting the keys. ## Publish your MDM app to Azure AD app gallery - IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD. -The following image show how MDM applications show up in the Azure app gallery. - -![azure ad add an app for mdm.](images/azure-ad-app-gallery.png) - ### Add cloud-based MDM to the app gallery > [!NOTE] > You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +To publish your application, [submit a request to publish your application in Azure Active Directory application gallery](/azure/active-directory/manage-apps/v2-howto-app-gallery-listing) + The following table shows the required information to create an entry in the Azure AD app gallery. |Item|Description| @@ -201,8 +133,6 @@ The following table shows the required information to create an entry in the Azu |**Description**|A brief description of your MDM app, which must be under 255 characters.| |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - - ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -215,11 +145,11 @@ The pages rendered by the MDM in the integrated enrollment process must use Wind There are three distinct scenarios: -1. MDM enrollment as part of Azure AD Join in Windows OOBE. -2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. -3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). +1. MDM enrollment as part of Azure AD Join in Windows OOBE. +1. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. +1. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). -These scenarios support Windows client Pro, Enterprise, and Education. +These scenarios support Windows Pro, Enterprise, and Education. The CSS files provided by Microsoft contain version information and we recommend that you use the latest version. There are separate CSS files for Windows client devices, OOBE, and post-OOBE experiences. [Download the Windows templates and CSS files (1.1.4)](https://download.microsoft.com/download/0/7/0/0702afe3-dc1e-48f6-943e-886a4876f6ca/MDM-ISV_1.1.4.zip). @@ -256,7 +186,7 @@ The following parameters are passed in the query string: Azure AD issues a bearer access token. The token is passed in the authorization header of the HTTP request. Here's a typical format: -**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw… +**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw... The following claims are expected in the access token passed by Windows to the Terms of Use endpoint: @@ -267,13 +197,12 @@ The following claims are expected in the access token passed by Windows to the T |TID|A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.| |Resource|A sanitized URL representing the MDM application. Example: `https://fabrikam.contosomdm.com` | - > [!NOTE] > There's no device ID claim in the access token because the device may not yet be enrolled at this time. To retrieve the list of group memberships for the user, you can use the [Microsoft Graph API](/azure/active-directory/develop/active-directory-graph-api). -Here's an example URL. +Here's an example URL: ```http https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 @@ -288,8 +217,8 @@ The MDM may do other more redirects as necessary before displaying the Terms of The Terms of Use content should contain the following buttons: -- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. -- **Decline** - the user declines and stops the enrollment process. +- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. +- **Decline** - the user declines and stops the enrollment process. The Terms of Use content must be consistent with the theme used for the other pages rendered during this process. @@ -297,13 +226,13 @@ The Terms of Use content must be consistent with the theme used for the other pa At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page: -- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: - - **IsAccepted** - This Boolean value is required, and must be set to true. - - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. - - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true` -- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: - - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. - - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. +- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This Boolean value is required, and must be set to true. + - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this blob to make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. + - Here's an example redirect - `ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true` +- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This Boolean value is required, and must be set to false. This option also applies if the user skipped the Terms of Use. + - **OpaqueBlob** - This parameter isn't expected to be used. The enrollment is stopped with an error message shown to the user. Users skip the Terms of Use when they're adding a Microsoft work account to their device. However, they can't skip it during the Azure AD Join process. Don't show the decline button in the Azure AD Join process. MDM enrollment can't be declined by the user if configured by the administrator for the Azure AD Join. @@ -311,7 +240,7 @@ We recommend that you send the client-request-id parameters in the query string ### Terms Of Use Error handling -If an error occurs during the terms of use processing, the MDM can return two parameters – an error and error\_description parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the error\_description should be in English plain text. This text isn't visible to the end-user. So, localization of the error description text isn't a concern. +If an error occurs during the terms of use processing, the MDM can return two parameters - an `error` and `error_description` parameter in its redirect request back to Windows. The URL should be encoded, and the contents of the `error_description` should be in English plain text. This text isn't visible to the end-user. So, localization of the `error_description` text isn't a concern. Here's the URL format: @@ -334,7 +263,6 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. @@ -355,41 +283,43 @@ With Azure integrated MDM enrollment, there's no discovery phase and the discove |Enrolled certificate store|My/User|My/System|My/User| |CSR subject name|User Principal Name|Device ID|User Principal Name| |EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL|Not supported|Supported|Supported| -|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| +|CSPs accessible during enrollment|Windows 10 support:
- DMClient
- CertificateStore
- RootCATrustedCertificates
- ClientCertificateInstall
- EnterpriseModernAppManagement
- PassportForWork
- Policy
- w7 APPLICATION||| ## Management protocol with Azure AD There are two different MDM enrollment types that integrate with Azure AD, and use Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. -**Multiple user management for Azure AD-joined devices** -In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. +- **Multiple user management for Azure AD-joined devices** -**Adding a work account and MDM enrollment to a device** -In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. + In this scenario the MDM enrollment applies to every Azure AD user who signs in to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, determine what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an extra HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token isn't sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user signs on to the machine, Azure AD user token isn't available to OMA-DM process. Typically, MDM enrollment completes before Azure AD user sign in to machine and the initial management session doesn't contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. -**Evaluating Azure AD user tokens** -The Azure AD token is in the HTTP Authorization header in the following format: +- **Adding a work account and MDM enrollment to a device**: -```console -Authorization:Bearer -``` + In this scenario, the MDM enrollment applies to a single user who initially added their work account and enrolled the device. In this enrollment type, the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. -More claims may be present in the Azure AD token, such as: +- **Evaluating Azure AD user tokens**: -- User - user currently logged in -- Device compliance - value set the MDM service into Azure -- Device ID - identifies the device that is checking in -- Tenant ID + The Azure AD token is in the HTTP Authorization header in the following format: -Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + ```console + Authorization:Bearer + ``` -- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). -- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). + More claims may be present in the Azure AD token, such as: + - User - user currently logged in + - Device compliance - value set the MDM service into Azure + - Device ID - identifies the device that is checking in + - Tenant ID + + Access tokens issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to start the enrollment process. There are a couple of options to evaluate the tokens: + + - Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JwtSecurityTokenHandler Class](/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler). + - Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667). ## Device Alert 1224 for Azure AD user token -An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: +An alert is sent when the DM session starts and there's an Azure AD user logged in. The alert is sent in OMA DM package #1. Here's an example: ```xml Alert Type: com.microsoft/MDM/AADUserToken @@ -401,25 +331,25 @@ Alert sample: 1224 - com.microsoft/MDM/AADUserToken + com.microsoft/MDM/AADUserToken UserToken inserted here - … other XML tags … + ... other XML tags ... ``` ## Determine when a user is logged in through polling -An alert is sent to the MDM server in DM package\#1. +An alert is sent to the MDM server in DM package \#1. -- Alert type - com.microsoft/MDM/LoginStatus -- Alert format - chr -- Alert data - provide sign-in status information for the current active logged in user. - - Signed-in user who has an Azure AD account - predefined text: user. - - Signed-in user without an Azure AD account- predefined text: others. - - No active user - predefined text:none +- Alert type - com.microsoft/MDM/LoginStatus +- Alert format - chr +- Alert data - provide sign-in status information for the current active logged in user. + - Signed-in user who has an Azure AD account - predefined text: user. + - Signed-in user without an Azure AD account- predefined text: others. + - No active user - predefined text:none Here's an example. @@ -430,12 +360,12 @@ Here's an example. 1224 - com.microsoft/MDM/LoginStatus + com.microsoft/MDM/LoginStatus user - … other XML tags … + ... other XML tags ... ``` @@ -445,21 +375,21 @@ Once a device is enrolled with the MDM for management, organization policies con For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822). -- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. -- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. +- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. To obtain authorization, use this key to authenticate the MDM service with Azure AD. +- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This key configuration is because each on-premises instance of your MDM product has a different tenant-specific key. So, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. ### Use Microsoft Graph API The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it. > [!NOTE] -> This API is only applicable for approved MDM apps on Windows 10 devices. +> This API is only applicable for approved MDM apps on Windows devices. ```console Sample Graph API Request: PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 -Authorization: Bearer eyJ0eXAiO……… +Authorization: Bearer eyJ0eXAiO......... Accept: application/json Content-Type: application/json { "isManaged":true, @@ -469,16 +399,16 @@ Content-Type: application/json Where: -- **contoso.com** – This value is the name of the Azure AD tenant to whose directory the device has been joined. -- **db7ab579-3759-4492-a03f-655ca7f52ae1** – This value is the device identifier for the device whose compliance information is being reported to Azure AD. -- **eyJ0eXAiO**……… – This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. -- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. -- **api-version** - Use this parameter to specify which version of the graph API is being requested. +- **contoso.com** - This value is the name of the Azure AD tenant to whose directory the device has been joined. +- **db7ab579-3759-4492-a03f-655ca7f52ae1** - This value is the device identifier for the device whose compliance information is being reported to Azure AD. +- **eyJ0eXAiO**......... - This value is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Microsoft Graph API. The access token is placed in the HTTP authorization header of the request. +- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. +- **api-version** - Use this parameter to specify which version of the graph API is being requested. Response: -- Success - HTTP 204 with No Content. -- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. +- Success - HTTP 204 with No Content. +- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant can't be found. ## Data loss during unenrollment from Azure Active Directory Join @@ -488,41 +418,4 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di ## Error codes -|Code|ID|Error message| -|--- |--- |--- | -|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.| -|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| -|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| -|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| -|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.| -|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.| -|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.| -|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.| -|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.| -|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| -|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.| -|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.| -|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| -|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| -|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)] diff --git a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md index cc058826be..1c9d410723 100644 --- a/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md +++ b/windows/client-management/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md @@ -1,33 +1,29 @@ --- -title: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new Portal -description: Azure AD and Microsoft Intune - Automatic MDM enrollment in the new portal +title: Automatic MDM enrollment in the Intune admin center +description: Automatic MDM enrollment in the Intune admin center ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 12/18/2020 -ms.reviewer: +ms.date: 04/05/2023 +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Azure AD and Microsoft Intune: Automatic MDM enrollment in the Intune admin center +# Automatic MDM enrollment in the Intune admin center -Microsoft Intune can be accessed directly using its own admin center. For more information, go to: - -- [Tutorial: Walkthrough Intune in Microsoft Intune admin center](/mem/intune/fundamentals/tutorial-walkthrough-endpoint-manager) -- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -If you use the Azure portal, then you can access Intune using the following steps: +Windows devices can be enrolled in to Intune automatically when they join or register with Azure Active Directory. Automatic enrollment can be configured in Azure Portal. 1. Go to your Azure AD Blade. -2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -3. Select **Microsoft Intune** and configure the blade. -![How to get to the Blade.](images/azure-mdm-intune.png) +1. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app. -Configure the blade +1. Select **Microsoft Intune** and configure the blade. You can specify settings to allow **All** users to enroll a device, or choose to allow **Some** users (and specify a group). -![Configure the Blade.](images/azure-intune-configure-scope.png) + ![Configure the Blade.](images/azure-intune-configure-scope.png) -You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). +1. Select **Save** to configure MDM auto-enrollment for Azure AD joined devices and bring-your-own-device scenarios. diff --git a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md index c85858a2d0..a09f295976 100644 --- a/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,50 +1,52 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and Windows 11. -MS-HAID: - - 'p\_phdevicemgmt.bulk\_enrollment' - - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' -ms.reviewer: +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Bulk enrollment +# Bulk enrollment using Windows Configuration Designer -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to reimage the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. You can use the [Provisioning CSP](mdm/provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join enrollment scenario. ## Typical use cases -- Set up devices in bulk for large organizations to be managed by MDM. -- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. -- Set up school computers. -- Set up industrial machinery. -- Set handheld POS devices. +- Set up devices in bulk for large organizations to be managed by MDM. +- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. +- Set up school computers. +- Set up industrial machinery. +- Set handheld POS devices. -On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. +On the desktop, you can create an Active Directory account, such as `enrollment@contoso.com` and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can sign in to use it. This account is especially useful in getting a large number of desktop ready to use within a domain. On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as `enroll@contoso.com` and `enrollmentpassword`. These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. > [!NOTE] -> - Bulk-join is not supported in Azure Active Directory Join. -> - Bulk enrollment does not work in Intune standalone environment. -> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. -> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. -> - Bulk Token creation is not supported with federated accounts. +> +> - Bulk-join is not supported in Azure Active Directory Join. +> - Bulk enrollment does not work in Intune standalone environment. +> - Bulk enrollment works in Microsoft Intune where the ppkg is generated from the Configuration Manager console. +> - To change bulk enrollment settings, login to **Azure AD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - Bulk Token creation is not supported with federated accounts. ## What you need -- Windows 10 devices. -- Windows Configuration Designer (WCD) tool. +- Windows devices. +- Windows Configuration Designer (WCD) tool. To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). -- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). -- Wi-Fi credentials, computer name scheme, and anything else required by your organization. + +- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). +- Wi-Fi credentials, computer name scheme, and anything else required by your organization. Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. @@ -53,112 +55,105 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Select **Advanced Provisioning**. +1. Select **Advanced Provisioning**. ![icd start page.](images/bulk-enrollment7.png) -3. Enter a project name and select **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. -5. Skip **Import a provisioning package (optional)** and select **Finish**. -6. Expand **Runtime settings** > **Workplace**. -7. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". -8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: - - **AuthPolicy** - Select **OnPremise**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - Password - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). - Here's the screenshot of the WCD at this point. + +1. Enter a project name and select **Next**. +1. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then select **Next**. +1. Skip **Import a provisioning package (optional)** and select **Finish**. +1. Expand **Runtime settings** > **Workplace**. +1. Select **Enrollments**, enter a value in **UPN**, and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. +1. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + + - **AuthPolicy** - Select **OnPremise**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - Password + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). Here's the screenshot of the WCD at this point. ![bulk enrollment screenshot.](images/bulk-enrollment.png) -9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -10. When you're done adding all the settings, on the **File** menu, select **Save**. -11. On the main menu, select **Export** > **Provisioning package**. + +1. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. On the main menu, select **Export** > **Provisioning package**. ![icd menu for export.](images/bulk-enrollment2.png) -12. Enter the values for your package and specify the package output location. + +1. Enter the values for your package and specify the package output location. ![enter package information.](images/bulk-enrollment3.png) ![enter additional information for package information.](images/bulk-enrollment4.png) ![specify file location.](images/bulk-enrollment6.png) -13. Select **Build**. + +1. Select **Build**. ![icb build window.](images/bulk-enrollment5.png) -14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). -15. Apply the package to your devices. + +1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +1. Apply the package to your devices. ## Create and apply a provisioning package for certificate authentication Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. 1. Open the WCD tool. -2. Select **Advanced Provisioning**. -3. Enter a project name and select **Next**. -4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. -5. Skip **Import a provisioning package (optional)** and select **Finish**. -6. Specify the certificate. - 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. - 2. Enter a **CertificateName** and then select **Add**. - 3. Enter the **CertificatePasword**. - 4. For **CertificatePath**, browse and select the certificate to be used. - 5. Set **ExportCertificate** to False. - 6. For **KeyLocation**, select **Software only**. +1. Select **Advanced Provisioning**. +1. Enter a project name and select **Next**. +1. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. +1. Skip **Import a provisioning package (optional)** and select **Finish**. +1. Specify the certificate: + + 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. + 1. Enter a **CertificateName** and then select **Add**. + 1. Enter the **CertificatePassword**. + 1. For **CertificatePath**, browse and select the certificate to be used. + 1. Set **ExportCertificate** to False. + 1. For **KeyLocation**, select **Software only**. ![icd certificates section.](images/bulk-enrollment8.png) -7. Specify the workplace settings. - 1. Got to **Workplace** > **Enrollments**. - 2. Enter the **UPN** for the enrollment and then select **Add**. - The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". - 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. - Here's the list of available settings: - - **AuthPolicy** - Select **Certificate**. - - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. - - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. - - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - - **Secret** - the certificate thumbprint. - For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). -8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). -9. When you're done adding all the settings, on the **File** menu, select **Save**. -10. Export and build the package (steps 10-13 in the procedure above). -11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). -12. Apply the package to your devices. + +1. Specify the workplace settings. + + 1. Got to **Workplace** > **Enrollments**. + 1. Enter the **UPN** for the enrollment and then select **Add**. The UPN is a unique identifier for the enrollment. For bulk enrollment, this UPN must be a service account that is allowed to enroll multiple users, such as `enrollment@contoso.com`. + 1. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. Here's the list of available settings: + - **AuthPolicy** - Select **Certificate**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - the certificate thumbprint. + + For detailed descriptions of these settings, see [Provisioning CSP](mdm/provisioning-csp.md). + +1. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (for example, **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +1. When you're done adding all the settings, on the **File** menu, select **Save**. +1. Export and build the package (steps 10-13 in the procedure above). +1. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +1. Apply the package to your devices. ## Apply a provisioning package -Here's the list of articles about applying a provisioning package: +- [Apply a package during initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#during-initial-setup) +- [Apply a package after initial setup](/windows/configuration/provisioning-packages/provisioning-apply-package#after-initial-setup) +- [Apply a package directly](/windows/configuration/provisioning-packages/provisioning-apply-package#apply-directly) +- [Apply a package from the Settings app](/windows/configuration/provisioning-packages/provisioning-apply-package#windows-settings). -- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) -- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) -- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - article below +## Validate that the provisioning package was applied -## Apply a package from the Settings menu - -1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Select **Add or remove a provisioning package**. -3. Select **Add a package**. - -## Validate that the provisioning package was applied - -1. Go to **Settings** > **Accounts** > **Access work or school**. -2. Select **Add or remove a provisioning package**. - You should see your package listed. +1. Go to **Settings** > **Accounts** > **Access work or school**. +1. Select **Add or remove a provisioning package**. You should see your package listed. ## Retry logic if there's a failure -If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If the provisioning engine receives a failure from a CSP, it will retry to provision three times in a row. +- If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from the SYSTEM context. +- It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. +- In addition, provisioning will be restarted in the SYSTEM context after a sign in and the [system has been idle](/windows/win32/taskschd/task-idle-conditions). -If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry four times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. - -It will also retry to apply the provisioning each time it's launched, if started from somewhere else as well. - -In addition, provisioning will be restarted in a SYSTEM context after a sign in and the system has been idle ([details on idle conditions](/windows/win32/taskschd/task-idle-conditions)). - -## Other provisioning articles - -Here are links to step-by-step provisioning articles: - -- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) -- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) +## Related articles +- [Provision PCs with apps and certificates for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-with-apps) +- [Provision PCs with common settings for initial deployment](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment) diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index 2f5129ba9b..6db2ca38a4 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -1,30 +1,28 @@ --- title: Certificate authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows devices, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). -> [!Note] +> [!NOTE] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). -## In this topic - -- [Discovery service](#discovery-service) -- [Enrollment policy web service](#enrollment-policy-web-service) -- [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery Service @@ -37,34 +35,33 @@ User-Agent: Windows Enrollment Client Host: EnterpriseEnrollment.Contoso.com Content-Length: xxx Cache-Control: no-cache - - - + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - + + + + + user@contoso.com 101 10.0.0.0 - 3.0 + 3.0 10.0.0.0 Certificate - - - + + + ``` @@ -76,7 +73,7 @@ Content-Length: 865 Content-Type: application/soap+xml; charset=utf-8 Server: EnterpriseEnrollment.Contoso.com Date: Tue, 02 Aug 2012 00:32:56 GMT - @@ -87,9 +84,9 @@ http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoverySer urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - Certificate @@ -117,11 +114,11 @@ User-Agent: Windows Enrollment Client Host: enrolltest.contoso.com Content-Length: xxxx Cache-Control: no-cache - @@ -135,16 +132,16 @@ Cache-Control: no-cache https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - B64EncodedSampleBinarySecurityToken - + - - @@ -190,29 +187,29 @@ Content-Type: application/soap+xml Content-Length: xxxx - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse - d4335d7c-e192-402d-b0e7-f5d550467e3c urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 - - - - + - - @@ -268,11 +265,11 @@ Host: enrolltest.contoso.com Content-Length: 3242 Cache-Control: no-cache - @@ -289,36 +286,35 @@ Cache-Control: no-cache 2014-10-16T17:55:13Z 2014-10-16T17:57:13Z - + + wsu:Id="29801C2F-F26B-46AD-984B-AFAEFB545FF8"> B64EncodedSampleBinarySecurityToken - + - - + MessageDigestValue - SignedMessageBlob/ds:SignatureValue> - + SignedMessageBlob/ds:SignatureValue> + - - + - + @@ -331,8 +327,8 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -354,7 +350,7 @@ http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrol - 7BA748C8-703E-4DF2-A74A-92984117346A + 7BA748C8-703E-4DF2-A74A-92984117346A 3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342 @@ -376,8 +372,8 @@ Content-Type: application/soap+xml; charset=utf-8 Server: Microsoft-IIS/7.0 Date: Fri, 03 Aug 2012 00:32:59 GMT - @@ -393,14 +389,14 @@ Date: Fri, 03 Aug 2012 00:32:59 GMT - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + - - + + - + @@ -480,14 +476,14 @@ The following example shows the encoded provisioning XML. - + - + @@ -495,7 +491,7 @@ The following example shows the encoded provisioning XML. - -``` \ No newline at end of file +``` diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index 8b44256d9e..d7c3443131 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -1,10 +1,7 @@ --- title: Certificate Renewal description: Learn how to find all the resources that you need to provide continuous access to client certificates. -MS-HAID: - - 'p\_phdevicemgmt.certificate\_renewal' - - 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -12,29 +9,32 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Certificate Renewal The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account. The enrollment client gets a new client certificate from the enrollment server, and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. -> [!Note] +> [!NOTE] > Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. ## Automatic certificate renewal request Windows supports automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that doesn't require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to do client Transport Layer Security (TLS). The user security token isn't needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate-based client authentication for automatic certificate renewal. -> [!Note] +> [!NOTE] > Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate. -For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. +For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP's](mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. -With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. +With automatic renewal, the PKCS\#7 message content isn't b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content. -During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). +During the automatic certificate renewal process, if the root certificate isn't trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](mdm/certificatestore-csp.md). During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used. @@ -94,28 +94,25 @@ The following example shows the details of an automatic renewal request. ## Certificate renewal schedule configuration -In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP’s RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. +In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry. They're configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP's RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, the Windows device reminds the user with a dialog at every renewal retry time until the certificate is expired. For more information about the parameters, see the CertificateStore configuration service provider. Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. -> [!Note] -> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. - ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): -- The signature of the PKCS\#7 BinarySecurityToken is correct -- The client’s certificate is in the renewal period -- The certificate was issued by the enrollment service -- The requester is the same as the requester for initial enrollment -- For standard client’s request, the client hasn’t been blocked +- The signature of the PKCS\#7 BinarySecurityToken is correct +- The client's certificate is in the renewal period +- The certificate was issued by the enrollment service +- The requester is the same as the requester for initial enrollment +- For standard client's request, the client hasn't been blocked After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. -> [!Note] +> [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. The following example shows the details of a certificate renewal response. @@ -145,14 +142,14 @@ The following example shows the details of a certificate renewal response. ``` -> [!Note] +> [!NOTE] > The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. ## Configuration service providers supported during MDM enrollment and certificate renewal The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. -- CertificateStore -- w7 APPLICATION -- DMClient -- EnterpriseAppManagement +- CertificateStore +- w7 APPLICATION +- DMClient +- EnterpriseAppManagement diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/client-tools/administrative-tools-in-windows.md similarity index 91% rename from windows/client-management/administrative-tools-in-windows-10.md rename to windows/client-management/client-tools/administrative-tools-in-windows.md index 095188a9ba..a511db702c 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/client-tools/administrative-tools-in-windows.md @@ -6,24 +6,22 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.localizationpriority: medium -ms.date: 03/28/2022 +ms.date: 04/11/2023 ms.topic: article ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Windows Tools/Administrative Tools -**Applies to** - -- Windows 11 -- Windows 10 - **Windows Tools** is a folder in the Windows 11 Control Panel. **Administrative Tools** is a folder in the Windows 10 Control Panel. These folders contain tools for system administrators and advanced users. -## Windows Tools folder (Windows 11) +## Windows Tools folder The following graphic shows the **Windows Tools** folder in Windows 11: @@ -33,7 +31,7 @@ The tools in the folder might vary depending on which edition of Windows you use :::image type="content" source="images/win11-windows-tools.png" alt-text="Screenshot of the contents of the Windows Tools folder in Windows 11." lightbox="images/win11-windows-tools.png"::: -## Administrative Tools folder (Windows 10) +## Administrative Tools folder The following graphic shows the **Administrative Tools** folder in Windows 10: diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md similarity index 58% rename from windows/client-management/change-default-removal-policy-external-storage-media.md rename to windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md index d3410f5068..2959430065 100644 --- a/windows/client-management/change-default-removal-policy-external-storage-media.md +++ b/windows/client-management/client-tools/change-default-removal-policy-external-storage-media.md @@ -1,26 +1,22 @@ --- -title: Windows 10 default media removal policy -description: In Windows 10, version 1809, the default removal policy for external storage media changed from Better performance to Quick removal. +title: Windows default media removal policy +description: In Windows 10 and later, the default removal policy for external storage media changed from Better performance to Quick removal. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa -ms.date: 11/25/2020 +ms.date: 04/11/2023 ms.topic: article -ms.custom: - - CI 111493 - - CI 125140 - - CSSTroubleshooting -audience: ITPro ms.localizationpriority: medium -manager: kaushika +manager: aaroncz ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Change in default removal policy for external storage media in Windows 10, version 1809 +# Change in default removal policy for external storage media in Windows -Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. - -In earlier versions of Windows, the default policy was **Better performance**. +Windows defines two main policies, **Quick removal** and **Better performance**, that control how the system interacts with external storage devices such as USB thumb drives or Thunderbolt-enabled external drives. Beginning in Windows 10 version 1809, the default policy is **Quick removal**. In earlier versions of Windows, the default policy was **Better performance**. You can change the policy setting for each external device, and the policy that you set remains in effect if you disconnect the device and then connect it again to the same computer port. @@ -28,31 +24,32 @@ You can change the policy setting for each external device, and the policy that You can use the storage device policy setting to change the manner in which Windows manages storage devices to better meet your needs. The policy settings have the following effects: -* **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. -* **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. - > [!IMPORTANT] - > If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data. +- **Quick removal**: This policy manages storage operations in a manner that keeps the device ready to remove at any time. You can remove the device without using the Safely Remove Hardware process. However, to do this, Windows cannot cache disk write operations. This may degrade system performance. +- **Better performance**: This policy manages storage operations in a manner that improves system performance. When this policy is in effect, Windows can cache write operations to the external device. However, you must use the Safely Remove Hardware process to remove the external drive. The Safely Remove Hardware process protects the integrity of data on the device by making sure that all cached operations finish. - > [!NOTE] - > If you select **Better performance**, we recommend that you also select **Enable write caching on the device**. +> [!IMPORTANT] +> If you use the **Better performance** policy, you must use the Safely Remove Hardware process to remove the device. If you remove or disconnect the device without following the safe removal instructions, you risk losing data. + +> [!NOTE] +> If you select **Better performance**, we recommend that you also select **Enable write caching on the device**. To change the policy for an external storage device: 1. Connect the device to the computer. -2. Right-click **Start**, then select **File Explorer**. -3. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). -4. Right-click **Start**, then select **Disk Management**. -5. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. - +1. Right-click **Start**, then select **File Explorer**. +1. In File Explorer, identify the letter or label that is associated with the device (for example, **USB Drive (D:)**). +1. Right-click **Start**, then select **Disk Management**. +1. In the lower section of the Disk Management window, right-click the label of the device, and then select **Properties**. + ![In Disk Management, right-click the device and click Properties.](./images/change-def-rem-policy-1.png) - -6. Select **Policies**. - - > [!NOTE] - > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. - > + +1. Select **Policies**. + + > [!NOTE] + > Some recent versions of Windows may use a different arrangement of tabs in the disk properties dialog box. + > > If you do not see the **Policies** tab, select **Hardware**, select the removable drive from the **All disk drives** list, and then select **Properties**. The **Policies** tab should now be available. - -7. Select the policy that you want to use. - + +1. Select the policy that you want to use. + ![Policy options for disk management.](./images/change-def-rem-policy-2.png) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md similarity index 93% rename from windows/client-management/connect-to-remote-aadj-pc.md rename to windows/client-management/client-tools/connect-to-remote-aadj-pc.md index 42c1d58c19..85c581ddd4 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/client-tools/connect-to-remote-aadj-pc.md @@ -1,29 +1,29 @@ --- -title: Connect to remote Azure Active Directory joined device (Windows) +title: Connect to remote Azure Active Directory joined device description: Learn how to use Remote Desktop Connection to connect to an Azure AD joined device. ms.prod: windows-client author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa -ms.date: 01/18/2022 +ms.date: 04/11/2023 manager: aaroncz ms.topic: article appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage --- # Connect to remote Azure Active Directory joined device -From its release, Windows has supported remote connections to devices joined to Active Directory using Remote Desktop Protocol (RDP). Windows 10, version 1607 added the ability to connect to a device that is joined to Azure Active Directory (Azure AD) using RDP. +Windows supports remote connections to devices joined to Active Directory s well as devices joined to Azure Active Directory (Azure AD) using Remote Desktop Protocol (RDP). - Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). - Starting in Windows 10/11, with 2022-10 update installed, you can [use Azure AD authentication to connect to the remote Azure AD device](#connect-with-azure-ad-authentication). - + ## Prerequisites - Both devices (local and remote) must be running a supported version of Windows. @@ -39,20 +39,20 @@ Azure AD Authentication can be used on the following operating systems for both - Windows 11 with [2022-10 Cumulative Updates for Windows 11 (KB5018418)](https://support.microsoft.com/kb/KB5018418) or later installed. - Windows 10, version 20H2 or later with [2022-10 Cumulative Updates for Windows 10 (KB5018410)](https://support.microsoft.com/kb/KB5018410) or later installed. - Windows Server 2022 with [2022-10 Cumulative Update for Microsoft server operating system (KB5018421)](https://support.microsoft.com/kb/KB5018421) or later installed. - + There's no requirement for the local device to be joined to a domain or Azure AD. As a result, this method allows you to connect to the remote Azure AD joined device from: - [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join) or [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) device. - Active Directory joined device. - Workgroup device. - + Azure AD authentication can also be used to connect to Hybrid Azure AD joined devices. To connect to the remote computer: - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). -- Specify the name of the remote computer and select **Connect**. +- Specify the name of the remote computer and select **Connect**. > [!NOTE] > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. @@ -129,5 +129,3 @@ Remote Desktop Users group is used to grant users and groups permissions to remo ## Related articles [How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) - - diff --git a/windows/client-management/images/admin-tools-folder.png b/windows/client-management/client-tools/images/admin-tools-folder.png similarity index 100% rename from windows/client-management/images/admin-tools-folder.png rename to windows/client-management/client-tools/images/admin-tools-folder.png diff --git a/windows/client-management/images/admin-tools.png b/windows/client-management/client-tools/images/admin-tools.png similarity index 100% rename from windows/client-management/images/admin-tools.png rename to windows/client-management/client-tools/images/admin-tools.png diff --git a/windows/client-management/images/allow-rdp.png b/windows/client-management/client-tools/images/allow-rdp.png similarity index 100% rename from windows/client-management/images/allow-rdp.png rename to windows/client-management/client-tools/images/allow-rdp.png diff --git a/windows/client-management/images/change-def-rem-policy-1.png b/windows/client-management/client-tools/images/change-def-rem-policy-1.png similarity index 100% rename from windows/client-management/images/change-def-rem-policy-1.png rename to windows/client-management/client-tools/images/change-def-rem-policy-1.png diff --git a/windows/client-management/images/change-def-rem-policy-2.png b/windows/client-management/client-tools/images/change-def-rem-policy-2.png similarity index 100% rename from windows/client-management/images/change-def-rem-policy-2.png rename to windows/client-management/client-tools/images/change-def-rem-policy-2.png diff --git a/windows/client-management/images/checkmark.png b/windows/client-management/client-tools/images/checkmark.png similarity index 100% rename from windows/client-management/images/checkmark.png rename to windows/client-management/client-tools/images/checkmark.png diff --git a/windows/client-management/images/copy-to-change.png b/windows/client-management/client-tools/images/copy-to-change.png similarity index 100% rename from windows/client-management/images/copy-to-change.png rename to windows/client-management/client-tools/images/copy-to-change.png diff --git a/windows/client-management/images/copy-to-path.png b/windows/client-management/client-tools/images/copy-to-path.png similarity index 100% rename from windows/client-management/images/copy-to-path.png rename to windows/client-management/client-tools/images/copy-to-path.png diff --git a/windows/client-management/images/copy-to.PNG b/windows/client-management/client-tools/images/copy-to.png similarity index 100% rename from windows/client-management/images/copy-to.PNG rename to windows/client-management/client-tools/images/copy-to.png diff --git a/windows/client-management/images/crossmark.png b/windows/client-management/client-tools/images/crossmark.png similarity index 100% rename from windows/client-management/images/crossmark.png rename to windows/client-management/client-tools/images/crossmark.png diff --git a/windows/client-management/images/device-installation-apply-layered-policy-2.png b/windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png similarity index 100% rename from windows/client-management/images/device-installation-apply-layered-policy-2.png rename to windows/client-management/client-tools/images/device-installation-apply-layered-policy-2.png diff --git a/windows/client-management/images/device-installation-apply-layered_policy-1.png b/windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png similarity index 100% rename from windows/client-management/images/device-installation-apply-layered_policy-1.png rename to windows/client-management/client-tools/images/device-installation-apply-layered_policy-1.png diff --git a/windows/client-management/images/device-installation-dm-printer-by-device.png b/windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-by-device.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-by-device.png diff --git a/windows/client-management/images/device-installation-dm-printer-compatible-ids.png b/windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-compatible-ids.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-compatible-ids.png diff --git a/windows/client-management/images/device-installation-dm-printer-details-screen.png b/windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-details-screen.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-details-screen.png diff --git a/windows/client-management/images/device-installation-dm-printer-hardware-ids.png b/windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png similarity index 100% rename from windows/client-management/images/device-installation-dm-printer-hardware-ids.png rename to windows/client-management/client-tools/images/device-installation-dm-printer-hardware-ids.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection-blocked.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-blocked.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection-layering.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection-layering.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection-layering.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-connection.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-connection.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-connection.png diff --git a/windows/client-management/images/device-installation-dm-usb-by-device.png b/windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-by-device.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-by-device.png diff --git a/windows/client-management/images/device-installation-dm-usb-hwid.png b/windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png similarity index 100% rename from windows/client-management/images/device-installation-dm-usb-hwid.png rename to windows/client-management/client-tools/images/device-installation-dm-usb-hwid.png diff --git a/windows/client-management/images/device-installation-flowchart.png b/windows/client-management/client-tools/images/device-installation-flowchart.png similarity index 100% rename from windows/client-management/images/device-installation-flowchart.png rename to windows/client-management/client-tools/images/device-installation-flowchart.png diff --git a/windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png b/windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-allow-device-id-list-printer.png rename to windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-printer.png diff --git a/windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png b/windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-allow-device-id-list-usb.png rename to windows/client-management/client-tools/images/device-installation-gpo-allow-device-id-list-usb.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-class-list.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-class-list.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-class-list.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-device-id-list-printer.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-printer.png diff --git a/windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png b/windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png similarity index 100% rename from windows/client-management/images/device-installation-gpo-prevent-device-id-list-usb.png rename to windows/client-management/client-tools/images/device-installation-gpo-prevent-device-id-list-usb.png diff --git a/windows/client-management/images/msinfo32.png b/windows/client-management/client-tools/images/msinfo32.png similarity index 100% rename from windows/client-management/images/msinfo32.png rename to windows/client-management/client-tools/images/msinfo32.png diff --git a/windows/client-management/images/quick-assist-flow.png b/windows/client-management/client-tools/images/quick-assist-flow.png similarity index 100% rename from windows/client-management/images/quick-assist-flow.png rename to windows/client-management/client-tools/images/quick-assist-flow.png diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/client-tools/images/quick-assist-get.png similarity index 100% rename from windows/client-management/images/quick-assist-get.png rename to windows/client-management/client-tools/images/quick-assist-get.png diff --git a/windows/client-management/images/rdp.png b/windows/client-management/client-tools/images/rdp.png similarity index 100% rename from windows/client-management/images/rdp.png rename to windows/client-management/client-tools/images/rdp.png diff --git a/windows/client-management/images/refcmd.png b/windows/client-management/client-tools/images/refcmd.png similarity index 100% rename from windows/client-management/images/refcmd.png rename to windows/client-management/client-tools/images/refcmd.png diff --git a/windows/client-management/images/settings-page-visibility-gp.png b/windows/client-management/client-tools/images/settings-page-visibility-gp.png similarity index 100% rename from windows/client-management/images/settings-page-visibility-gp.png rename to windows/client-management/client-tools/images/settings-page-visibility-gp.png diff --git a/windows/client-management/images/slmgr_dlv.png b/windows/client-management/client-tools/images/slmgr-dlv.png similarity index 100% rename from windows/client-management/images/slmgr_dlv.png rename to windows/client-management/client-tools/images/slmgr-dlv.png diff --git a/windows/client-management/images/sysprep-error.png b/windows/client-management/client-tools/images/sysprep-error.png similarity index 100% rename from windows/client-management/images/sysprep-error.png rename to windows/client-management/client-tools/images/sysprep-error.png diff --git a/windows/client-management/images/systemcollage.png b/windows/client-management/client-tools/images/systemcollage.png similarity index 100% rename from windows/client-management/images/systemcollage.png rename to windows/client-management/client-tools/images/systemcollage.png diff --git a/windows/client-management/images/win11-control-panel-windows-tools.png b/windows/client-management/client-tools/images/win11-control-panel-windows-tools.png similarity index 100% rename from windows/client-management/images/win11-control-panel-windows-tools.png rename to windows/client-management/client-tools/images/win11-control-panel-windows-tools.png diff --git a/windows/client-management/images/win11-windows-tools.png b/windows/client-management/client-tools/images/win11-windows-tools.png similarity index 100% rename from windows/client-management/images/win11-windows-tools.png rename to windows/client-management/client-tools/images/win11-windows-tools.png diff --git a/windows/client-management/images/WinVer.PNG b/windows/client-management/client-tools/images/winver.png similarity index 100% rename from windows/client-management/images/WinVer.PNG rename to windows/client-management/client-tools/images/winver.png diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md similarity index 69% rename from windows/client-management/manage-device-installation-with-group-policy.md rename to windows/client-management/client-tools/manage-device-installation-with-group-policy.md index 6f1cf2860e..da685db207 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/client-tools/manage-device-installation-with-group-policy.md @@ -4,21 +4,19 @@ description: Find out how to manage Device Installation Restrictions with Group ms.prod: windows-client author: vinaypamnani-msft ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2022 --- # Manage Device Installation with Group Policy -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2022 - ## Summary By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. @@ -26,6 +24,7 @@ By using Windows operating systems, administrators can determine what devices ca ## Introduction ### General + This step-by-step guide describes how you can control device installation on the computers that you manage, including designating which devices users can and can't install. This guide applies to all Windows versions starting with RS5 (1809). The guide includes the following scenarios: - Prevent users from installing devices that are on a "prohibited" list. If a device isn't on the list, then the user can install it. @@ -63,7 +62,7 @@ You can ensure that users install only those devices that your technical support ## Scenario Overview -The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. +The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. Group Policy guides: @@ -72,7 +71,7 @@ Group Policy guides: ### Scenario #1: Prevent installation of all printers -In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the ‘prevent/allow’ functionality of Device Installation policies in Group Policy. +In this scenario, the administrator wants to prevent users from installing any printers. Thus is a basic scenario to introduce you to the 'prevent/allow' functionality of Device Installation policies in Group Policy. ### Scenario #2: Prevent installation of a specific printer @@ -84,11 +83,11 @@ In this scenario, you'll combine what you learned from both scenario #1 and scen ### Scenario #4: Prevent installation of a specific USB device -This scenario, although similar to scenario #2, brings another layer of complexity – how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. +This scenario, although similar to scenario #2, brings another layer of complexity—how does device connectivity work in the PnP tree. The administrator wants to prevent standard users from installing a specific USB device. By the end of the scenario, you should understand the way devices are nested in layers under the PnP device connectivity tree. ### Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb drive -In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. +In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the 'prevent' functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. ## Technology Review @@ -96,7 +95,7 @@ The following sections provide a brief overview of the core technologies discuss ### Device Installation in Windows -A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition - it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. +A device is a piece of hardware with which Windows interacts to perform some function, or in a more technical definition—it's a single instance of a hardware component with a unique representation in the Windows Plug and Play subsystem. Windows can communicate with a device only through a piece of software called a device-driver (also known as a _driver_). To install a driver, Windows detects the device, recognizes its type, and then finds the driver that matches that type. When Windows detects a device that has never been installed on the computer, the operating system queries the device to retrieve its list of device identification strings. A device usually has multiple device identification strings, which the device manufacturer assigns. The same device identification strings are included in the .inf file (also known as an _INF_) that is part of the driver package. Windows chooses which driver package to install by matching the device identification strings retrieved from the device to those strings included with the driver packages. @@ -107,7 +106,7 @@ The four types of identifiers are: - Device Instance ID - Device ID - Device setup classes -- ‘Removable Devices’ device type +- 'Removable Devices' device type #### Device Instance ID @@ -146,12 +145,12 @@ For more information, see [Device Setup Classes](/windows-hardware/drivers/insta This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. -The following two links provide the complete list of Device Setup Classes. ‘System Use’ classes are mostly referred to devices that come with a computer/machine from the factory, while ‘Vendor’ classes are mostly referred to devices that could be connected to an existing computer/machine: +The following two links provide the complete list of Device Setup Classes. 'System Use' classes are mostly referred to devices that come with a computer/machine from the factory, while 'Vendor' classes are mostly referred to devices that could be connected to an existing computer/machine: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -#### ‘Removable Device’ Device type +#### 'Removable Device' Device type Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. @@ -164,7 +163,7 @@ Device Installation section in Group Policy is a set of policies that control wh The following passages are brief descriptions of the Device Installation policies that are used in this guide. > [!NOTE] -> Device Installation control is applied only to machines (‘computer configuration’) and not users (‘user configuration’) by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. +> Device Installation control is applied only to machines ('computer configuration') and not users ('user configuration') by the nature of the Windows OS design. These policy settings affect all users who log on to the computer where the policy settings are applied. You can't apply these policies to specific users or groups except for the policy Allow administrators to override device installation policy. This policy exempts members of the local Administrators group from any of the device installation restrictions that you apply to the computer by configuring other policy settings as described in this section. #### Allow administrators to override Device Installation Restriction policies @@ -219,22 +218,22 @@ To complete each of the scenarios, ensure you have: - A client computer running Windows. -- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a “removable disk drive”, "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. +- A USB thumb drive. The scenarios described in this guide use a USB thumb drive as the example device (also known as a "removable disk drive", "memory drive," a "flash drive," or a "keyring drive"). Most USB thumb drives don't require any manufacturer-provided drivers, and these devices work with the inbox drivers provided with the Windows build. - A USB/network printer pre-installed on the machine. - Access to the administrator account on the testing machine. The procedures in this guide require administrator privileges for most steps. -### Understanding implications of applying ‘Prevent’ policies retroactive +### Understanding implications of applying 'Prevent' policies retroactive -All ‘Prevent’ policies can apply the block functionality to already installed devices—devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. +All 'Prevent' policies can apply the block functionality to already installed devices-devices that have been installed on the machine before the policy took effect. Using this option is recommended when the administrator isn't sure of the installation history of devices on the machine and would like to make sure the policy applies to all devices. -For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the “apply this policy to already installed devices” option. Marking this option will prevent access to already installed devices in addition to any future ones. +For example: A printer is already installed on the machine, preventing the installation of all printers will block any future printer from being installed while keeping only the installed printer usable. To apply the block retroactive, the administrator should check mark the "apply this policy to already installed devices" option. Marking this option will prevent access to already installed devices in addition to any future ones. This option is a powerful tool, but as such it has to be used carefully. > [!IMPORTANT] -> Applying the ‘Prevent retroactive’ option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all ‘Disk Drives’ could block the access to the disk on which the OS boots with; Preventing retroactive all ‘Net’ could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. +> Applying the 'Prevent retroactive' option to crucial devices could render the machine useless/unacceptable! For example: Preventing retroactive all 'Disk Drives' could block the access to the disk on which the OS boots with; Preventing retroactive all 'Net' could block this machine from accessing network and to fix the issue the admin will have to have a direct connection. ## Determine device identification strings @@ -249,19 +248,19 @@ To find device identification strings using Device Manager 1. Make sure your printer is plugged in and installed. -2. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. +1. To open Device Manager, click the Start button, type mmc devmgmt.msc in the Start Search box, and then press ENTER; or search for Device Manager as application. -3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. +1. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. -4. Find the “Printers” section and find the target printer +1. Find the "Printers" section and find the target printer ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)
_Selecting the printer in Device Manager_ -5. Double-click the printer and move to the ‘Details’ tab. +1. Double-click the printer and move to the 'Details' tab. - ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)
_Open the ‘Details’ tab to look for the device identifiers_ + !['Details' tab.](images/device-installation-dm-printer-details-screen.png)
_Open the 'Details' tab to look for the device identifiers_ -6. From the ‘Value’ window, copy the most detailed Hardware ID – we'll use this value in the policies. +1. From the 'Value' window, copy the most detailed Hardware ID—we'll use this value in the policies. ![HWID.](images/device-installation-dm-printer-hardware-ids.png) @@ -311,24 +310,24 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +1. Disable all previous Device Installation policies, except 'Apply layered order of evaluation'-although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters -4. Have a USB/network printer available to test the policy with +1. Have a USB/network printer available to test the policy with -### Scenario steps – preventing installation of prohibited devices +### Scenario steps - preventing installation of prohibited devices Getting the right device identifier to prevent it from being installed: 1. If you have on your system a device from the class you want to block, you could follow the steps in the previous section to find the Device Class identifier through Device Manager or PnPUtil (Class GUID). -2. If you don’t have such device installed on your system or know the name of the class, you can check the following two links: +1. If you don't have such device installed on your system or know the name of the class, you can check the following two links: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +1. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -340,40 +339,40 @@ Getting the right device identifier to prevent it from being installed: Creating the policy to prevent all printers from being installed: -1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor-either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled (recommended to keep ‘applied layered order of evaluation’ policy enabled). +1. Make sure all policies are disabled (recommended to keep 'applied layered order of evaluation' policy enabled). -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this convention is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces: `{4d36e979-e325-11ce-bfc1-08002be10318}`. ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. Optional – if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Optional—if you would like to apply the policy to existing installs: Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' > [!IMPORTANT] -> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using ‘Disk Drive’ class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. +> Using a Prevent policy (like the one we used in scenario #1 above) and applying it to all previously installed devices (see step #9) could render crucial devices unusable; hence, use with caution. For example: If an IT admin wants to prevent all removable storage devices from being installed on the machine, using 'Disk Drive' class for blocking and applying it retroactive could render the internal hard-drive unusable and to break the machine. ### Testing the scenario -1. If you haven't completed step #9 – follow these steps: +1. If you haven't completed step #9, follow these steps: - 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. - 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. + 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". + 1. For USB printer—unplug and plug back the cable; for network device—make a search for the printer in the Windows Settings app. 1. You shouldn't be able to reinstall the printer. -2. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. +1. If you completed step #9 above and restarted the machine, look for your printer under Device Manager or the Windows Settings app and see that it's no-longer available for you to use. ## Scenario #2: Prevent installation of a specific printer @@ -385,39 +384,39 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation' (this prerequisite is optional to be On/Off this scenario). Although the policy is disabled in default, it's recommended to be enabled in most practical applications. For scenario #2, it's optional. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed: -1. Get your printer’s Hardware ID – in this example we'll use the identifier we found previously +1. Get your printer's Hardware ID. In this example we'll use the identifier we found previously. ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)
_Printer Hardware ID_ -2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers +1. Write down the device ID (in this case Hardware ID): `WSDPRINT\CanonMX920_seriesC1A0;`. Take the more specific identifier to make sure you block a specific printer and not a family of printers Creating the policy to prevent a single printer from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to block. -5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0 +1. Enter the printer device ID you found above: `WSDPRINT\CanonMX920_seriesC1A0`. ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)
_Prevent Device ID list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window. This option pushes the policy and blocks the target printer in future installations, but doesn’t apply to an existing install. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target printer in future installations, but doesn't apply to an existing install. -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’. +1. Optionally, if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'Also apply to matching devices that are already installed'. ### Testing the scenario @@ -425,12 +424,11 @@ If you completed step #8 above and restarted the machine, look for your printer If you haven't completed step #8, follow these steps: -1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. +1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click "Uninstall device". -2. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - -3. You shouldn't be able to reinstall the printer. +1. For USB printer, unplug and plug back the cable; for network device, make a search for the printer in the Windows Settings app. +1. You shouldn't be able to reinstall the printer. ## Scenario #3: Prevent installation of all printers while allowing a specific printer to be installed @@ -442,67 +440,66 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and enable ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and enable 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB/network printer available to test the policy with. +1. Have a USB/network printer available to test the policy with. -### Scenario steps – preventing installation of an entire class while allowing a specific printer +### Scenario steps - preventing installation of an entire class while allowing a specific printer -Getting the device identifier for both the Printer Class and a specific printer – following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the Printer Class and a specific printer—following the steps in scenario #1 to find Class identifier and scenario #2 to find Device identifier you could get the identifiers you need for this scenario: - ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318} - Hardware ID = WSDPRINT\CanonMX920_seriesC1A0 -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318} +1. Enter the printer class GUID you found above with the curly braces (this value is important! Otherwise, it won't work): {4d36e979-e325-11ce-bfc1-08002be10318} ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)
_List of prevent Class GUIDs_ -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future printer installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and blocks all future printer installations, but doesn't apply to existing installs. -9. To complete the coverage of all future and existing printers – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’ +1. To complete the coverage of all future and existing printers, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK' -10. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it—this policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. - ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png) + :::image type="content" alt-text="Screenshot of Local Group Policy Editor that shows the policies under Device Installation Restrictions and the policy named in this step." source="images/device-installation-apply-layered_policy-1.png" lightbox="images/device-installation-apply-layered_policy-1.png"::: - ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)
_Apply layered order of evaluation policy_ + [![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.](images/device-installation-apply-layered-policy-2.png)](images/device-installation-apply-layered-policy-2.png#lightbox)
_Apply layered order of evaluation policy_ -9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -10. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. +1. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0. ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)
_Allow Printer Hardware ID_ -12. Click ‘OK’. +1. Click 'OK'. -13. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and allows the target printer to be installed (or stayed installed). +1. Click 'Apply' on the bottom right of the policy's window—this option pushes the policy and allows the target printer to be installed (or stayed installed). ## Testing the scenario 1. Look for your printer under Device Manager or the Windows Settings app and see that it's still there and accessible. Or just print a test document. -2. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer – you shouldn't be bale to print anything or able to access the printer at all. - +1. Go back to the Group Policy Editor, disable **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and test again your printer—you shouldn't be bale to print anything or able to access the printer at all. ## Scenario #4: Prevent installation of a specific USB device @@ -514,67 +511,65 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section -2. Ensure all previous Device Installation policies are disabled except ‘Apply layered order of evaluation’ (this prerequisite is optional to be On/Off this scenario) – although the policy is disabled in default, it's recommended to be enabled in most practical applications. +1. Ensure all previous Device Installation policies are disabled except 'Apply layered order of evaluation'. This prerequisite is optional to be On/Off this scenario. Although the policy is disabled in default, it's recommended to be enabled in most practical applications. -### Scenario steps – preventing installation of a specific device +### Scenario steps - preventing installation of a specific device Getting the right device identifier to prevent it from being installed and its location in the PnP tree: 1. Connect a USB thumb drive to the machine -2. Open Device Manager +1. Open Device Manager + +1. Find the USB thumb-drive and select it. -3. Find the USB thumb-drive and select it. - ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)
_Selecting the usb thumb-drive in Device Manager_ -4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree. +1. Change View (in the top menu) to 'Devices by connections'. This view represents the way devices are installed in the PnP tree. ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)
_Changing view in Device Manager to see the PnP connection tree_ > [!NOTE] - > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked. - + > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a "Generic USB Hub" from being installed, all the devices that lay below a "Generic USB Hub" will be blocked. + ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)
_When blocking one device, all the devices that are nested below it will be blocked as well_ -5. Double-click the USB thumb-drive and move to the ‘Details’ tab. +1. Double-click the USB thumb-drive and move to the 'Details' tab. + +1. From the 'Value' window, copy the most detailed Hardware ID-we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 -6. From the ‘Value’ window, copy the most detailed Hardware ID—we'll use this value in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)
_USB device hardware IDs_ Creating the policy to prevent a single USB thumb-drive from being installed: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor and either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Open **Prevent installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -4. In the lower left side, in the ‘Options’ window, click the ‘Show’ box. This option will take you to a table where you can enter the device identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show' box. This option will take you to a table where you can enter the device identifier to block. + +1. Enter the USB thumb-drive device ID you found above—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. -5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07 - ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)
_Prevent Device IDs list_ -6. Click ‘OK’. +1. Click 'OK'. -7. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn’t apply to an existing install. - -8. Optional – if you would like to apply the policy to an existing install: Open the **Prevent installation of devices that match any of these device IDs** policy again; in the ‘Options’ window, mark the checkbox that says ‘also apply to matching devices that are already installed’ +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks the target USB thumb-drive in future installations, but doesn't apply to an existing install. +1. Optional - if you would like to apply the policy to an existing install, open the **Prevent installation of devices that match any of these device IDs** policy again. In the 'Options' window, mark the checkbox that says 'also apply to matching devices that are already installed'. ### Testing the scenario -1. If you haven't completed step #8 – follow these steps: +1. If you haven't completed step #8, follow these steps: - - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click “Uninstall device”. + - Uninstall your USB thumb-drive: Device Manager > Disk drives > right click the target USB thumb-drive > click "Uninstall device". - You shouldn't be able to reinstall the device. -2. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. - +1. If you completed step #8 above and restarted the machine, look for your Disk drives under Device Manager and see that it's no-longer available for you to use. ## Scenario #5: Prevent installation of all USB devices while allowing an installation of only an authorized USB thumb-drive @@ -586,15 +581,15 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, and **enable** ‘Apply layered order of evaluation’. +1. Disable all previous Device Installation policies, and **enable** 'Apply layered order of evaluation'. -3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters. +1. If there are any enabled policies, changing their status to 'disabled', would clear them from all parameters. -4. Have a USB thumb-drive available to test the policy with. +1. Have a USB thumb-drive available to test the policy with. -### Scenario steps – preventing installation of all USB devices while allowing only an authorized USB thumb-drive +### Scenario steps - preventing installation of all USB devices while allowing only an authorized USB thumb-drive -Getting the device identifier for both the USB Classes and a specific USB thumb-drive – following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: +Getting the device identifier for both the USB Classes and a specific USB thumb-drive and following the steps in scenario #1 to find Class identifier and scenario #4 to find Device identifier you could get the identifiers you need for this scenario: - USB Bus Devices (hubs and host controllers) - Class = USB @@ -610,16 +605,16 @@ Getting the device identifier for both the USB Classes and a specific USB thumb- As mentioned in scenario #4, it's not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. The IT admin has to ensure all the USB devices that preceding the target one aren't blocked (allowed) as well. In Our case the following devices has to be allowed so the target USB thumb-drive could be allowed as well: -- “Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -> PCI\CC_0C03 -- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30 -- “Generic USB Hub” -> USB\USB20_HUB - +- "Intel(R) USB 3.0 eXtensible Host Controller - 1.0 (Microsoft)" -> PCI\CC_0C03 +- "USB Root Hub (USB 3.0)" -> USB\ROOT_HUB30 +- "Generic USB Hub" -> USB\USB20_HUB + ![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)
_USB devices nested under each other in the PnP tree_ These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them shouldn't enable any external/peripheral device from being installed on the machine. > [!IMPORTANT] -> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: +> Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an 'Allow list' in such cases. See below for the list: > > PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ @@ -629,49 +624,49 @@ These devices are internal devices on the machine that define the USB port conne > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. -First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one: +First create a 'Prevent Class' policy and then create 'Allow Device' one: -1. Open Group Policy Object Editor – either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. +1. Open Group Policy Object Editor: either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search "Group Policy Editor" and open the UI. -2. Navigate to the Device Installation Restriction page: +1. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions -3. Make sure all policies are disabled +1. Make sure all policies are disabled -4. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the ‘Enable’ radio button. +1. Open **Prevent installation of devices using drivers that match these device setup classes** policy and select the 'Enable' radio button. -5. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the class identifier to block. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the class identifier to block. -6. Enter both USB classes GUID you found above with the curly braces: +1. Enter both USB classes GUID you found above with the curly braces: > {36fc9e60-c465-11cf-8056-444553540000}/ - > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} + > {88BAE032-5A81-49f0-BC3D-A4FF138216D6} -7. Click ‘OK’. +1. Click 'OK'. -8. Click ‘Apply’ on the bottom right of the policy’s window – this option pushes the policy and blocks all future USB device installations, but doesn’t apply to existing installs. +1. Click 'Apply' on the bottom right of the policy's window. This option pushes the policy and blocks all future USB device installations, but doesn't apply to existing installs. > [!IMPORTANT] > The previous step prevents all future USB devices from being installed. Before you move to the next step make sure you have as complete list as possible of all the USB Host Controllers, USB Root Hubs and Generic USB Hubs Device IDs available to prevent blocking you from interacting with your system through keyboards and mice. -9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device. +1. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it. This policy will enable you to override the wide coverage of the 'Prevent' policy with a specific device. ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)
_Apply layered order of evaluation policy_ -10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button. +1. Now Open **Allow installation of devices that match any of these device IDs** policy and select the 'Enable' radio button. -11. In the lower left side, in the ‘Options’ window, click the ‘Show…’ box. This option will take you to a table where you can enter the device identifier to allow. +1. In the lower left side, in the 'Options' window, click the 'Show...' box. This option will take you to a table where you can enter the device identifier to allow. -12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07 +1. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation—`USBSTOR\DiskGeneric_Flash_Disk______8.07`. ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)
_Allowed USB Device IDs list_ -13. Click ‘OK’. +1. Click 'OK'. -14. Click ‘Apply’ on the bottom right of the policy’s window. +1. Click 'Apply' on the bottom right of the policy's window. -15. To apply the ‘Prevent’ coverage of all currently installed USB devices – Open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the ‘Options’ window mark the checkbox that says ‘also apply to matching devices that are already installed’ and click ‘OK’. +1. To apply the 'Prevent' coverage of all currently installed USB devices, open the **Prevent installation of devices using drivers that match these device setup classes** policy again; in the 'Options' window mark the checkbox that says 'also apply to matching devices that are already installed' and click 'OK'. ### Testing the scenario diff --git a/windows/client-management/client-tools/manage-settings-app-with-group-policy.md b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md new file mode 100644 index 0000000000..a0af81bb73 --- /dev/null +++ b/windows/client-management/client-tools/manage-settings-app-with-group-policy.md @@ -0,0 +1,44 @@ +--- +title: Manage the Settings app with Group Policy +description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. +ms.prod: windows-client +author: vinaypamnani-msft +ms.date: 04/13/2023 +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2016 +--- + +# Manage the Settings app with Group Policy + +You can manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. + +> [!NOTE] +> To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. Each server that you want to manage access to the Settings App must be patched. + +If your organization uses the [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for Group Policy management, to manage the policies, copy the ControlPanel.admx and ControlPanel.adml file to PolicyDefinitions folder. + +This policy is available for both User and Computer configurations. + +- **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. +- **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. + +![Settings page visibility policy.](images/settings-page-visibility-gp.png) + +## Configuring the Group Policy + +The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). + +> [!IMPORTANT] +> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. + +For example: + +- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. +- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/client-tools/mandatory-user-profile.md similarity index 60% rename from windows/client-management/mandatory-user-profile.md rename to windows/client-management/client-tools/mandatory-user-profile.md index 0771fcc433..181e7485db 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/client-tools/mandatory-user-profile.md @@ -1,46 +1,44 @@ --- -title: Create mandatory user profiles (Windows 10 and Windows 11) +title: Create mandatory user profiles description: A mandatory user profile is a special type of pre-configured roaming user profile that administrators can use to specify settings for users. ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa -ms.date: 09/14/2021 +ms.date: 04/11/2023 ms.reviewer: manager: aaroncz ms.topic: article ms.collection: - - highpri - - tier2 +- highpri +- tier2 ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Create mandatory user profiles -**Applies to** - -- Windows 10 -- Windows 11 - -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to) icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. -User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. +User profiles become mandatory profiles when the administrator renames the `NTuser.dat` file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. ## Profile extension for each Windows version The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. -| Client operating system version | Server operating system version | Profile extension | -| --- | --- | --- | -| Windows XP | Windows Server 2003
Windows Server 2003 R2 | none | -| Windows Vista
Windows 7 | Windows Server 2008
Windows Server 2008 R2 | v2 | -| Windows 8 | Windows Server 2012 | v3 | -| Windows 8.1 | Windows Server 2012 R2 | v4 | -| Windows 10, versions 1507 and 1511 | N/A | v5 | -| Windows 10, versions 1607, 1703, 1709, 1803, 1809, 1903 and 1909 | Windows Server 2016 and Windows Server 2019 | v6 | +| Client operating system version | Server operating system version | Profile extension | +|-------------------------------------|-------------------------------------------------|-------------------| +| Windows XP | Windows Server 2003
Windows Server 2003 R2 | none | +| Windows Vista
Windows 7 | Windows Server 2008
Windows Server 2008 R2 | v2 | +| Windows 8 | Windows Server 2012 | v3 | +| Windows 8.1 | Windows Server 2012 R2 | v4 | +| Windows 10, versions 1507 and 1511 | N/A | v5 | +| Windows 10, versions 1607 and later | Windows Server 2016 and Windows Server 2019 | v6 | For more information, see [Deploy Roaming User Profiles, Appendix B](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](/troubleshoot/windows-server/user-profiles-and-logon/roaming-user-profiles-versioning). @@ -50,33 +48,33 @@ First, you create a default user profile with the customizations that you want, ### How to create a default user profile -1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. +1. Sign in to a computer running Windows as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. > [!NOTE] > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user's profile folder to the default user profile. You can use [Windows System Image Manager](/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows Application see [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true). For a list of uninstallable applications, see [Understand the different apps included in Windows](/windows/application-management/apps-in-windows-10). > [!NOTE] > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. 1. At a command prompt, type the following command and press **ENTER**. - ```console + ```cmd sysprep /oobe /reboot /generalize /unattend:unattend.xml ``` - (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) + (Sysprep.exe is located at: `C:\Windows\System32\sysprep`. By default, Sysprep looks for `unattend.xml` in the same folder.) > [!TIP] - > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open `%WINDIR%\System32\Sysprep\Panther\setupact.log` and look for an entry like the following: > > ![Microsoft Bing Translator package error.](images/sysprep-error.png) > @@ -88,7 +86,6 @@ First, you create a default user profile with the customizations that you want, 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**. - ![Example of User Profiles UI.](images/copy-to.png) 1. In **Copy To**, under **Permitted to use**, click **Change**. @@ -97,7 +94,7 @@ First, you create a default user profile with the customizations that you want, 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with `.v6` to identify it as a user profile folder for Windows 10, version 1607 or later. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. @@ -105,8 +102,6 @@ First, you create a default user profile with the customizations that you want, - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path.](images/copy-to-path.png) - 1. Click **OK** to copy the default user profile. ### How to make the user profile mandatory @@ -118,6 +113,13 @@ First, you create a default user profile with the customizations that you want, 1. Rename `Ntuser.dat` to `Ntuser.man`. +### Verify the correct owner for the mandatory profile folders + +1. Open the properties of the "profile.v6" folder. +1. Select the **Security** tab and then select **Advanced**. +1. Verify the **Owner** of the folder. It must be the builtin **Administrators** group. To change the owner, you must be a member of the Administrators group on the file server, or have "Set owner" privilege on the server. +1. When you set the owner, select **Replace owner on subcontainers and objects** before you click OK. + ## Apply a mandatory user profile to users In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server. @@ -130,7 +132,7 @@ In a domain, you modify properties for the user account to point to the mandator 1. Right-click the user name and open **Properties**. -1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is `\\server\share\profile.v6`, you would enter `\\server\share\profile`. 1. Click **OK**. @@ -138,16 +140,16 @@ It may take some time for this change to replicate to all domain controllers. ## Apply policies to improve sign-in time -When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) +When a user is configured with a mandatory profile, Windows starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. -| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | -| --- | --- | --- | --- | --- | -| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | -| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | +| Group Policy setting | Windows 10 | Windows Server 2016 | +|-----------------------------------------------------------------------------------------------------------------------------------------------|:----------:|:-------------------:| +| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ✅ | ✅ | +| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ✅ | ❌ | > [!NOTE] -> The Group Policy settings above can be applied in Windows 10 Professional edition. +> The Group Policy settings above can be applied in Windows Professional edition. ## Related topics diff --git a/windows/client-management/quick-assist.md b/windows/client-management/client-tools/quick-assist.md similarity index 96% rename from windows/client-management/quick-assist.md rename to windows/client-management/client-tools/quick-assist.md index 4e59e30993..9997673adf 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/client-tools/quick-assist.md @@ -1,6 +1,7 @@ --- title: Use Quick Assist to help users description: Learn how IT Pros can use Quick Assist to help users. +ms.date: 04/11/2023 ms.prod: windows-client ms.topic: article ms.technology: itpro-manage @@ -10,12 +11,11 @@ ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal appliesto: - - ✅ Windows 10 and later - - ✅ Windows 11 and later +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier1 -ms.date: 03/06/2023 +- highpri +- tier1 --- # Use Quick Assist to help users @@ -26,9 +26,6 @@ Quick Assist is a Microsoft Store application that enables a person to share the All that's required to use Quick Assist is suitable network and internet connectivity. No roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn't have to authenticate. -> [!IMPORTANT] -> Quick Assist is not available in the Azure Government cloud. - ### Authentication The helper can authenticate when they sign in by using a Microsoft account (MSA) or Azure Active Directory (Azure AD). Local Active Directory authentication isn't currently supported. diff --git a/windows/client-management/client-tools/toc.yml b/windows/client-management/client-tools/toc.yml new file mode 100644 index 0000000000..311cb0c84f --- /dev/null +++ b/windows/client-management/client-tools/toc.yml @@ -0,0 +1,19 @@ +items: + - name: Windows Tools/Administrative Tools + href: administrative-tools-in-windows.md + - name: Use Quick Assist to help users + href: quick-assist.md + - name: Connect to remote Azure Active Directory-joined PC + href: connect-to-remote-aadj-pc.md + - name: Create mandatory user profiles + href: mandatory-user-profile.md + - name: Manage Device Installation with Group Policy + href: manage-device-installation-with-group-policy.md + - name: Manage the Settings app with Group Policy + href: manage-settings-app-with-group-policy.md + - name: Manage default media removal policy + href: change-default-removal-policy-external-storage-media.md + - name: What version of Windows am I running + href: windows-version-search.md + - name: Windows libraries + href: windows-libraries.md diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/client-tools/windows-libraries.md similarity index 72% rename from windows/client-management/windows-libraries.md rename to windows/client-management/client-tools/windows-libraries.md index 89b5f46cfd..12e7efd5db 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/client-tools/windows-libraries.md @@ -1,26 +1,30 @@ --- -ms.reviewer: -manager: aaroncz title: Windows Libraries +description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. ms.prod: windows-client +author: vinaypamnani-msft ms.author: vinpa -ms.manager: dongill +manager: aaroncz +ms.reviewer: ms.technology: itpro-manage ms.topic: article -author: vinaypamnani-msft -description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures. -ms.date: 09/15/2021 +ms.date: 04/11/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Windows Server 2022 +- ✅ Windows Server 2019 +- ✅ Windows Server 2016 --- # Windows libraries -> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 - -Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. +Libraries are virtual containers for users' content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location. ## Features for Users Windows libraries are backed by full content search and rich metadata. Libraries offer the following advantages to users: + - Aggregate content from multiple storage locations into a single, unified presentation. - Enable users to stack and group library contents based on metadata. - Enable fast, full-text searches across multiple storage locations, from Windows Explorer or from the Start menu. @@ -30,6 +34,7 @@ Windows libraries are backed by full content search and rich metadata. Libraries ## Features for Administrators Administrators can configure and control Windows libraries in the following methods: + - Create custom libraries by creating and deploying Library Description (*.library-ms) files. - Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. @@ -48,6 +53,7 @@ Including a folder in a library doesn't physically move or change the storage lo ### Default Libraries and Known Folders The default libraries include: + - Documents - Music - Pictures @@ -64,16 +70,17 @@ Users or administrators can hide or delete the default libraries, though the lib Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. -### Indexing Requirements and “Basic” Libraries +### Indexing Requirements and "Basic" Libraries Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: + - No support for metadata browsing via **Arrange By** views. - Grep-only searches. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. - No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No previews of file snippets for search results returned in Content mode. -To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder "Always available offline" creates a local copy of the folder's files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). @@ -81,20 +88,20 @@ If your environment doesn't support caching files locally, you should enable the ### Folder Redirection -While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the "My Documents" folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations The following table shows which locations are supported in Windows libraries. -|Supported Locations|Unsupported Locations| -|---|---| -|Fixed local volumes (NTFS/FAT)|Removable drives| -|Shares that are indexed (departmental servers*, Windows home PCs)|Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster| -|Shares that are available offline (redirected folders that use Offline Files)|Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices| -||Other data sources: SharePoint, Exchange, etc.| +| Supported Locations | Unsupported Locations | +|--|--| +| Fixed local volumes (NTFS/FAT) | Removable drives | +| Shares that are indexed (departmental servers*, Windows home PCs) | Removable media (such as DVDs)

Network shares that are accessible through DFS Namespaces or are part of a failover cluster | +| Shares that are available offline (redirected folders that use Offline Files) | Network shares that aren't available offline or remotely indexed

Network Attached Storage (NAS) devices | +| | Other data sources: SharePoint, Exchange, etc. | -\* For shares that are indexed on a departmental server, Windows Search works well in workgroups or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: +\* For shares that are indexed on a departmental server, Windows Search works well in a workgroup or on a domain server that has similar characteristics to a workgroup server. For example, Windows Search works well on a single share departmental server with the following characteristics: - Expected maximum load is four concurrent query requests. - Expected indexing corpus is a maximum of one million documents. @@ -104,6 +111,7 @@ The following table shows which locations are supported in Windows libraries. ### Library Attributes The following library attributes can be modified within Windows Explorer, the Library Management dialog, or the Library Description file (*.library-ms): + - Name - Library locations - Order of library locations @@ -111,7 +119,7 @@ The following library attributes can be modified within Windows Explorer, the Li The library icon can be modified by the administrator or user by directly editing the Library Description schema file. -See the [Library Description Schema](/windows/win32/shell/library-schema-entry) topic on MSDN for information on creating Library Description files. +See [Library Description Schema](/windows/win32/shell/library-schema-entry) for information on creating Library Description files. ## See also @@ -127,4 +135,4 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry) ### Other resources - [Folder Redirection, Offline Files, and Roaming User Profiles](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)) -- [Library Description Schema](/windows/win32/shell/library-schema-entry) \ No newline at end of file +- [Library Description Schema](/windows/win32/shell/library-schema-entry) diff --git a/windows/client-management/client-tools/windows-version-search.md b/windows/client-management/client-tools/windows-version-search.md new file mode 100644 index 0000000000..42f0454fa7 --- /dev/null +++ b/windows/client-management/client-tools/windows-version-search.md @@ -0,0 +1,54 @@ +--- +title: What version of Windows am I running? +description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +ms.prod: windows-client +author: vinaypamnani-msft +ms.author: vinpa +ms.date: 04/13/2023 +ms.reviewer: +manager: aaroncz +ms.topic: troubleshooting +ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# What version of Windows am I running? + +The [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) build of Windows doesn't contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It's important to remember that the LTSC model is primarily for specialized devices. + +In the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels), you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. + +To determine if your device is enrolled in the Long-Term Servicing Channel or the General Availability Channel, you'll need to know what version of Windows you're running. There are a few ways to figure this out. Each method provides a different set of details, so it's useful to learn about all of them. + +## System Properties + +Select **Start** > **Settings** > **System**, then select **About**. You'll then see **Edition**, **Version**, and **OS Build** information. + +:::image type="content" source="images/systemcollage.png" alt-text="screenshot of the system properties window for a device running Windows 10."::: + +## Using Keyword Search + +You can type the following in the search bar and press **ENTER** to see version details for your device. + +- **"winver"**: + + :::image type="content" source="images/winver.png" alt-text="screenshot of the About Windows display text."::: + +- **"msinfo"** or **"msinfo32"** to open **System Information**: + + :::image type="content" source="images/msinfo32.png" alt-text="screenshot of the System Information display text."::: + +> [!TIP] +> You can also use `winver` or `msinfo32` commands at the command prompt. + +## Using Command Prompt or PowerShell + +- At the PowerShell or Command Prompt, type `systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"` and then press **ENTER** + + :::image type="content" source="images/refcmd.png" alt-text="screenshot of system information display text."::: + +- At the PowerShell or Command Prompt, type `slmgr /dlv`, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: + + :::image type="content" source="images/slmgr-dlv.png" alt-text="screenshot of software licensing manager."::: diff --git a/windows/client-management/config-lock.md b/windows/client-management/config-lock.md index 56b72cdf0a..2e86f60f6a 100644 --- a/windows/client-management/config-lock.md +++ b/windows/client-management/config-lock.md @@ -8,14 +8,12 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 05/24/2022 +appliesto: +- ✅ Windows 11 --- # Secured-core PC configuration lock -**Applies to** - -- Windows 11 - In an enterprise organization, IT administrators enforce policies on their corporate devices to keep the devices in a compliant state and protect the OS by preventing users from changing configurations and creating config drift. Config drift occurs when users with local admin rights change settings and put the device out of sync with security policies. Devices in a non-compliant state can be vulnerable until the next sync and configuration reset with the MDM. Windows 11 with config lock enables IT administrators to prevent config drift and keep the OS configuration in the desired state. With config lock, the OS monitors the registry keys that configure each feature and when it detects a drift, reverts to the IT-desired state in seconds. Secured-core configuration lock (config lock) is a new [secured-core PC (SCPC)](/windows-hardware/design/device-experiences/oem-highly-secure) feature that prevents configuration drift from secured-core PC features caused by unintentional misconfiguration. In short, it ensures a device intended to be a secured-core PC remains a secured-core PC. @@ -77,7 +75,7 @@ Config lock is designed to ensure that a secured-core PC isn't unintentionally m - Can I disable config lock? Yes. You can use MDM to turn off config lock completely or put it in temporary unlock mode for helpdesk activities. -### List of locked policies +## List of locked policies |**CSPs** | |-----| diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4c730c626d..9680e7249e 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,6 +1,6 @@ --- title: Mobile device management MDM for device updates -description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. +description: Windows provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,10 +8,13 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 11/15/2017 +ms.date: 04/05/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Mobile device management (MDM) for device updates @@ -19,38 +22,34 @@ ms.collection: >[!TIP] >If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq). -With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. +With PCs, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows, we're investing heavily in extending the management capabilities available to MDMs. One key feature we're adding is the ability for MDMs to keep devices up to date with the latest Microsoft updates. -In particular, Windows 10 provides APIs to enable MDMs to: +In particular, Windows provides APIs to enable MDMs to: -- Ensure machines stay up to date by configuring Automatic Update policies. -- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. -- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. +- Ensure machines stay up to date by configuring Automatic Update policies. +- Test updates on a smaller set of machines by configuring which updates are approved for a given device. Then, do an enterprise-wide rollout. +- Get compliance status of managed devices. IT can understand which machines still need a security patch, or how current is a particular machine. +- Configure automatic update policies to ensure devices stay up to date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. +- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. -This article provides independent software vendors (ISV) with the information they need to implement update management in Windows 10. +This article provides independent software vendors (ISV) with the information they need to implement update management in Windows. For more information, see [Policy CSP - Update](mdm/policy-csp-update.md). -In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to: - -- Configure automatic update policies to ensure devices stay up to date. -- Get device compliance information (the list of updates that are needed but not yet installed). -- Enter a per-device update approval list. The list makes sure devices only install updates that are approved and tested. -- Approve end-user license agreements (EULAs) for the end user so update deployment can be automated even for updates with EULAs. - -The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). - -For more information about the CSPs, see [Update CSP](mdm/update-csp.md) and the update policy area of the [Policy CSP](mdm/policy-configuration-service-provider.md). +> [!NOTE] +> The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update's title, description, KB, update type, like a security update or service pack. For more information, see [[MS-WSUSSS]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c). The following diagram provides a conceptual overview of how this works: -![mobile device update management.](images/mdm-update-sync.png) +:::image type="content" source="images/mdm-update-sync.png" alt-text="mobile device update management."::: The diagram can be roughly divided into three areas: -- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). -- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). -- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram). +- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). +- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). +- The device gets updates from Microsoft Update using client/server protocol. It only downloads and installs updates that apply to the device and are approved by IT (right portion of the diagram). -## Getting update metadata using the Server-Server sync protocol +## Getting update metadata using the Server-Server sync protocol The Microsoft Update Catalog contains many updates that aren't needed by MDM-managed devices. It includes updates for legacy software, like updates to servers, down-level desktop operating systems, & legacy apps, and a large number of drivers. We recommend MDMs use the Server-Server sync protocol to get update metadata for updates reported from the client. @@ -60,40 +59,39 @@ This section describes this setup. The following diagram shows the server-server MSDN provides much information about the Server-Server sync protocol. In particular: -- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. +- It's a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](/openspecs/windows_protocols/ms-wsusss/8a3b2470-928a-4bd1-bdcc-8c2bf6b8e863). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. +- You can find code samples in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). The sample code shows raw SOAP commands, which can be used. Although it's even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to `https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx`. Some important highlights: -- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. -- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. -- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). +- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a), the **Sample 1: Authorization** code shows how authorization is done. Even though it's called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. +- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](/openspecs/windows_protocols/ms-wsusss/c28ad30c-fa3f-4bc6-a747-788391d2d964) in MSDN. The LocURI to get the applicable updates with their revision numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. +- For mobile devices, you can sync metadata for a particular update by calling GetUpdateData. Or, for a local on-premises solution, you can use Windows Server Update Services (WSUS) and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). > [!NOTE] -> On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, and so on). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). +> Over time, Microsoft Update modifies metadata for a given update, for example, by updating descriptive information, fixing bugs in applicability rules, making localization changes, and so on. Each time a change occurs that doesn't affect the update itself, a new update revision is created. An UpdateID (GUID) and a RevisionNumber (int) compounds to comprise an identity key for an update revision. The MDM doesn't present an update revision to IT. Instead, for each UpdateID (GUID) the MDM keeps the metadata for the later revision of that update, which is the one with the highest revision number. - -## Examples of update metadata XML structure and element descriptions +### Examples of update metadata XML structure and element descriptions The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). Some of the key elements are described below: -- **UpdateID** – The unique identifier for an update -- **RevisionNumber** – Revision number for the update in case the update was modified. -- **CreationDate** – the date on which this update was created. -- **UpdateType** – The type of update, which could include the following: - - **Detectoid** – if this update identity represents a compatibility logic - - **Category** – This element could represent either of the following: - - A Product category the update belongs to. For example, Windows, MS office, and so on. - - The classification the update belongs to. For example, drivers, security, and so on. - - **Software** – If the update is a software update. - - **Driver** – if the update is a driver update. -- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields: - - **Language** – The language code identifier (LCID). For example, en or es. - - **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)” - - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed.” -- **KBArticleID** – The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. +- **UpdateID** - The unique identifier for an update +- **RevisionNumber** - Revision number for the update in case the update was modified. +- **CreationDate** - The date on which this update was created. +- **UpdateType** - The type of update, which could include the following: + - **Detectoid** - If this update identity represents a compatibility logic + - **Category** - This element could represent either of the following: + - A Product category the update belongs to. For example, Windows, MS office, and so on. + - The classification the update belongs to. For example, drivers, security, and so on. + - **Software** - If the update is a software update. + - **Driver** - If the update is a driver update. +- **LocalizedProperties** - Represents the language the update is available in, title and description of the update. It has the following fields: + - **Language** - The language code identifier (LCID). For example, en or es. + - **Title** - Title of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)" + - **Description** - Description of the update. For example, "Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you've installed this item, it can't be removed." +- **KBArticleID** - The KB article number for this update that has details about the particular update. For example, `https://support.microsoft.com/kb/2902892`. -## Recommended Flow for Using the Server-Server Sync Protocol +### Recommended Flow for Using the Server-Server Sync Protocol This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM. @@ -103,782 +101,43 @@ First some background: - A metadata sync service can then be implemented. The service periodically calls server-server sync to pull in metadata for the updates IT cares about. - The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client, if those updates aren't already known to the device. - The following procedure describes a basic algorithm for a metadata sync service: -- Initialization uses the following steps: - a. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. -- Sync periodically (we recommend once every 2 hours - no more than once/hour). - 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). - 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and: - - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. - - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. - - Remove updates from the "needed update IDs to fault in" list once they've been brought in. +1. Create an empty list of "needed update IDs to fault in". This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since they're temporary. For example, Defender can release new definition updates many times per day, each of which is cumulative. +1. Sync periodically (we recommend once every 2 hours - no more than once/hour). + 1. Implement the authorization phase of the protocol to get a cookie if you don't already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a). + 1. Implement the metadata portion of the protocol. See **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](/openspecs/windows_protocols/ms-wsusss/2dedbd00-fbb7-46ee-8ee0-aec9bd1ecd2a)), and call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata hasn't already been pulled into the DB. + - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. + - Remove updates from the "needed update IDs to fault in" list once they've been brought in. These steps get information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time, you can get information so IT can see what updates they're approving. Or, for compliance reports to see what updates are needed but not yet installed. -## Managing updates using OMA DM +## Managing updates using OMA DM An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented in [Mobile device management](mobile-device-enrollment.md). This section focuses on how to extend that integration to support update management. The key aspects of update management include the following information: -- Configure automatic update policies to ensure devices stay up to date. -- Get device compliance information (the list of updates that are needed but not yet installed) -- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested. -- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs +- Configure automatic update policies to ensure devices stay up to date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Specify a per-device update approval list. The list makes sure devices only install updates that are approved and tested. +- Approve EULAs for the end user so update deployment can be automated, even for updates with EULAs. The following list describes a suggested model for applying updates. -1. Have a "Test Group" and an "All Group". -2. In the Test group, just let all updates flow. -3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues. +1. Have a "Test Group" and an "All Group". +1. In the Test group, let all updates flow. +1. In the All Group, set the Quality Update deferral for seven days, and then, Quality Updates are auto approved after seven days. Quality Update deferrals exclude Definition Updates, so Definition Updates automatically are approved when they're available. Match the schedule for Definition Updates with the Quality Update deferral schedule by setting Update/DeferQualityUpdatesPeriodInDays to seven. Let updates flow after seven days or by pausing if any issues occur. -Updates are configured using a combination of the [Update CSP](mdm/update-csp.md), and the update portion of the [Policy CSP](mdm/policy-configuration-service-provider.md). +Updates are configured using the [Update Policy CSP](mdm/policy-csp-update.md). -### Update policies - -The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP. - -The following information shows the Update policies in a tree format. - -```console -./Vendor/MSFT -Policy -----Config ---------Update ------------ActiveHoursEnd ------------ActiveHoursMaxRange ------------ActiveHoursStart ------------AllowAutoUpdate ------------AllowMUUpdateService ------------AllowNonMicrosoftSignedUpdate ------------AllowUpdateService ------------AutoRestartNotificationSchedule ------------AutoRestartRequiredNotificationDismissal ------------BranchReadinessLevel ------------DeferFeatureUpdatesPeriodInDays ------------DeferQualityUpdatesPeriodInDays ------------DeferUpdatePeriod ------------DeferUpgradePeriod ------------EngagedRestartDeadline ------------EngagedRestartSnoozeSchedule ------------EngagedRestartTransitionSchedule ------------ExcludeWUDriversInQualityUpdate ------------IgnoreMOAppDownloadLimit ------------IgnoreMOUpdateDownloadLimit ------------PauseDeferrals ------------PauseFeatureUpdates ------------PauseQualityUpdates ------------RequireDeferUpgrade ------------RequireUpdateApproval ------------ScheduleImminentRestartWarning ------------ScheduledInstallDay ------------ScheduledInstallTime ------------ScheduleRestartWarning ------------SetAutoRestartNotificationDisable ------------UpdateServiceUrl ------------UpdateServiceUrlAlternate -``` - -**Update/ActiveHoursEnd** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time. - -> [!NOTE] -> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. - -The default is 17 (5 PM). - -**Update/ActiveHoursMaxRange** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. - -Supported values are 8-18. - -The default value is 18 (hours). - -**Update/ActiveHoursStart** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -Added in Windows 10, version 1607. When used with **Update/ActiveHoursEnd**, it allows the IT admin to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time. - -> [!NOTE] -> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. For more information, see **Update/ActiveHoursMaxRange** in this article. - -Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, and so on. - -The default value is 8 (8 AM). - -**Update/AllowAutoUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - - -Enables the IT admin to manage automatic update behavior to scan, download, and install updates. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default behavior for unmanaged devices. Devices are updated quickly. But, it increases the risk of accidental data loss caused by an application that doesn't shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks. They're installed during "Automatic Maintenance" when the device isn't in use, and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only. -- 5 – Turn off automatic updates. - -> [!IMPORTANT] -> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. - - -If the policy isn't configured, end users get the default behavior (Auto install and restart). - -**Update/AllowMUUpdateService** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. - -The following list shows the supported values: - -- 0 – Not allowed or not configured. -- 1 – Allowed. Accepts updates received through Microsoft Update. - -**Update/AllowNonMicrosoftSignedUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education. - - -Allows the IT admin to manage if Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third-party software and patch distribution. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. -- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate in the "Trusted Publishers" certificate store of the local computer. - -This policy is specific to desktop and local publishing using WSUS for third-party updates (binaries and updates not hosted on Microsoft Update). It allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. - -**Update/AllowUpdateService** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft. - -Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update. - -Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working. - -The following list shows the supported values: - -- 0 – Update service isn't allowed. -- 1 (default) – Update service is allowed. - -> [!NOTE] -> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. - - -**Update/AutoRestartNotificationSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. - -Supported values are 15, 30, 60, 120, and 240 (minutes). - -The default value is 15 (minutes). - -**Update/AutoRestartRequiredNotificationDismissal** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed. - -The following list shows the supported values: - -- 1 (default) – Auto Dismissal. -- 2 – User Dismissal. - -**Update/BranchReadinessLevel** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. - -The following list shows the supported values: - -- 16 (default) – User gets all applicable upgrades from Current Branch (CB). -- 32 – User gets upgrades from Current Branch for Business (CBB). - -**Update/DeferFeatureUpdatesPeriodInDays** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. - -Supported values are 0-180. - -**Update/DeferQualityUpdatesPeriodInDays** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. - -Supported values are 0-30. - -**Update/DeferUpdatePeriod** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to specify update delays for up to four weeks. - -Supported values are 0-4, which refers to the number of weeks to defer updates. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by**; and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -- **Update category**: OS upgrade - - **Maximum deferral**: 8 months - - **Deferral increment**: 1 month - - **Update type/notes**: Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 - -- **Update category**: Update - - **Maximum deferral**: 1 month - - **Deferral increment**: 1 week - - **Update type/notes**: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. - - - Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441 - - Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4 - - Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F - - Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828 - - Tools - B4832BD8-E735-4761-8DAF-37F882276DAB - - Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F - - Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83 - - Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0 - -- **Update category**: Other/cannot defer - - **Maximum deferral**: No deferral - - **Deferral increment**: No deferral - - **Update type/notes**: Any update category not enumerated above falls into this category. - - Definition Update - E0789628-CE08-4437-BE74-2495B842F43B - -**Update/DeferUpgradePeriod** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. - - -Allows IT Admins to enter more upgrade delays for up to eight months. - -Supported values are 0-8, which refers to the number of months to defer upgrades. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -**Update/EngagedRestartDeadline** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, then the restart won't be automatically executed. It will remain Engaged restart (pending user scheduling). - -Supported values are 2-30 days. - -The default value is 0 days (not specified). - -**Update/EngagedRestartSnoozeSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. - -Supported values are 1-3 days. - -The default value is three days. - -**Update/EngagedRestartTransitionSchedule** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. - -Supported values are 2-30 days. - -The default value is seven days. - -**Update/ExcludeWUDriversInQualityUpdate** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. - -The following list shows the supported values: - -- 0 (default) – Allow Windows Update drivers. -- 1 – Exclude Windows Update drivers. - -**Update/IgnoreMOAppDownloadLimit** -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -The following list shows the supported values: - -- 0 (default) – Don't ignore MO download limit for apps and their updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. - -To validate this policy: - -1. Enable the policy ensure the device is on a cellular network. -2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: - - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` - - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - -**Update/IgnoreMOUpdateDownloadLimit** -Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. - -> [!WARNING] -> Setting this policy might cause devices to incur costs from MO operators. - -The following list shows the supported values: - -- 0 (default) – Don't ignore MO download limit for OS updates. -- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. - -To validate this policy: - -1. Enable the policy and ensure the device is on a cellular network. -2. Run the scheduled task on the devices to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: - - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` - -3. Verify that any downloads that are above the download size limit will complete without being paused. - - -**Update/PauseDeferrals** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. - - -Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks. - -The following list shows the supported values: - -- 0 (default) – Deferrals aren't paused. -- 1 – Deferrals are paused. - -If the **Specify intranet Microsoft update service location** policy is enabled, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the **Defer upgrades by**, **Defer updates by** and **Pause Updates and Upgrades** settings have no effect. - -**Update/PauseFeatureUpdates** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. - -Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. - -The following list shows the supported values: - -- 0 (default) – Feature Updates aren't paused. -- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. - -**Update/PauseQualityUpdates** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. - -The following list shows the supported values: - -- 0 (default) – Quality Updates aren't paused. -- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. - -**Update/RequireDeferUpgrade** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education -> -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. - - -Allows the IT admin to set a device to CBB train. - -The following list shows the supported values: - -- 0 (default) – User gets upgrades from Current Branch. -- 1 – User gets upgrades from Current Branch for Business. - -**Update/RequireUpdateApproval** - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -
- -> [!NOTE] -> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. - - -Allows the IT admin to restrict the updates that are installed on a device to only the updates on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update for the end user. EULAs are approved once an update is approved. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- 0 – Not configured. The device installs all applicable updates. -- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required before deployment. - -**Update/ScheduleImminentRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. - -Supported values are 15, 30, or 60 (minutes). - -The default value is 15 (minutes). - -**Update/ScheduledInstallDay** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the day of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -The following list shows the supported values: - -- 0 (default) – Every day -- 1 – Sunday -- 2 – Monday -- 3 – Tuesday -- 4 – Wednesday -- 5 – Thursday -- 6 – Friday -- 7 – Saturday - -**Update/ScheduledInstallTime** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Enables the IT admin to schedule the time of the update installation. - -The data type is a string. - -Supported operations are Add, Delete, Get, and Replace. - -Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. - -The default value is 3. - -**Update/ScheduleRestartWarning** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications. - -Supported values are 2, 4, 8, 12, or 24 (hours). - -The default value is 4 (hours). - -**Update/SetAutoRestartNotificationDisable** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - - -Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations. - -The following list shows the supported values: - -- 0 (default) – Enabled -- 1 – Disabled - -**Update/UpdateServiceUrl** -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education - -> [!Important] -> Starting in Windows 10, version 1703 this policy isn't supported in IoT Enterprise. - -Allows the device to check for updates from a WSUS server instead of Microsoft Update. Using WSUS is useful for on-premises MDMs that need to update devices that can't connect to the Internet. - -Supported operations are Get and Replace. - -The following list shows the supported values: - -- Not configured. The device checks for updates from Microsoft Update. -- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. - -Example - -```xml - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - -``` - -**Update/UpdateServiceUrlAlternate** - -> [!NOTE] -> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. - -Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. - -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. - -To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. - -Value type is string and the default value is an empty string. If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, then the Automatic Updates client connects directly to the Windows Update site on the Internet. - -> [!Note] -> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. -> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates. -> This policy isn't supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. - -### Update management - -The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](mdm/update-csp.md). The following information shows the Update CSP in tree format. - -```console -./Vendor/MSFT -Update -----ApprovedUpdates ---------Approved Update Guid -------------ApprovedTime -----FailedUpdates ---------Failed Update Guid -------------HResult -------------Status -------------RevisionNumber -----InstalledUpdates ---------Installed Update Guid -------------RevisionNumber -----InstallableUpdates ---------Installable Update Guid -------------Type -------------RevisionNumber -----PendingRebootUpdates ---------Pending Reboot Update Guid -------------InstalledTime -------------RevisionNumber -----LastSuccessfulScanTime -----DeferUpgrade -----Rollback ---------QualityUpdate ---------FeatureUpdate ---------QualityUpdateStatus ---------FeatureUpdateStatus -``` - -**Update** -The root node. - -Supported operation is Get. - -**ApprovedUpdates** -Node for update approvals and EULA acceptance for the end user. - -> [!NOTE] -> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. - -The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to present the EULA is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It's only necessary to approve the EULA once per EULA ID, not one per update. - -The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (updates to the virus and spyware definitions on devices) and Security Updates (product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstall of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs because of changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. - -> [!NOTE] -> For the Windows 10 build, the client may need to reboot after additional updates are added. - - - -Supported operations are Get and Add. - -**ApprovedUpdates/***Approved Update Guid* -Specifies the update GUID. - -To auto-approve a class of updates, you can specify the [Update Classifications](/previous-versions/windows/desktop/ff357803(v=vs.85)) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. - -Supported operations are Get and Add. - -Sample syncml: - -``` -./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d -``` - -**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** -Specifies the time the update gets approved. - -Supported operations are Get and Add. - -**FailedUpdates** -Specifies the approved updates that failed to install on a device. - -Supported operation is Get. - -**FailedUpdates/***Failed Update Guid* -Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. - -Supported operation is Get. - -**FailedUpdates/*Failed Update Guid*/HResult** -The update failure error code. - -Supported operation is Get. - -**FailedUpdates/*Failed Update Guid*/Status** -Specifies the failed update status (for example, download, install). - -Supported operation is Get. - -**InstalledUpdates** -The updates that are installed on the device. - -Supported operation is Get. - -**InstalledUpdates/***Installed Update Guid* -UpdateIDs that represent the updates installed on a device. - -Supported operation is Get. - -**InstallableUpdates** -The updates that are applicable and not yet installed on the device. This information includes updates that aren't yet approved. - -Supported operation is Get. - -**InstallableUpdates/***Installable Update Guid* -Update identifiers that represent the updates applicable and not installed on a device. - -Supported operation is Get. - -**InstallableUpdates/*Installable Update Guid*/Type** -The UpdateClassification value of the update. Valid values are: - -- 0 - None -- 1 - Security -- 2 = Critical - -Supported operation is Get. - -**InstallableUpdates/*Installable Update Guid*/RevisionNumber** -The revision number for the update that must be passed in server to server sync to get the metadata for the update. - -Supported operation is Get. - -**PendingRebootUpdates** -The updates that require a reboot to complete the update session. - -Supported operation is Get. - -**PendingRebootUpdates/***Pending Reboot Update Guid* -Update identifiers for the pending reboot state. - -Supported operation is Get. - -**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -The time the update is installed. - -Supported operation is Get. - -**LastSuccessfulScanTime** -The last successful scan time. - -Supported operation is Get. - -**DeferUpgrade** -Upgrades deferred until the next period. - -Supported operation is Get. - - -## Windows 10, version 1607 for update management - -Here are the new policies added in Windows 10, version 1607 in [Policy CSP](mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices. - -- Update/ActiveHoursEnd -- Update/ActiveHoursStart -- Update/AllowMUUpdateService -- Update/BranchReadinessLevel -- Update/DeferFeatureUpdatePeriodInDays -- Update/DeferQualityUpdatePeriodInDays -- Update/ExcludeWUDriversInQualityUpdate -- Update/PauseFeatureUpdates -- Update/PauseQualityUpdates - -Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate. - -|GPO key|Type|Value| -|--- |--- |--- | -|BranchReadinessLevel|REG_DWORD|16: systems take Feature Updates on the Current Branch (CB) train

32: systems take Feature Updates on the Current Branch for Business

Other value or absent: receive all applicable updates (CB)| -|DeferQualityUpdates|REG_DWORD|1: defer quality updates

Other value or absent: don’t defer quality updates| -|DeferQualityUpdatesPeriodInDays|REG_DWORD|0-30: days to defer quality updates| -|PauseQualityUpdates|REG_DWORD|1: pause quality updates

Other value or absent: don’t pause quality updates| -|DeferFeatureUpdates|REG_DWORD|1: defer feature updates

Other value or absent: don’t defer feature updates| -|DeferFeatureUpdatesPeriodInDays|REG_DWORD|0-180: days to defer feature updates| -|PauseFeatureUpdates|REG_DWORD|1: pause feature updates

Other value or absent: don’t pause feature updates| -|ExcludeWUDriversInQualityUpdate|REG_DWORD|1: exclude Windows Update drivers

Other value or absent: offer Windows Update drivers| - -Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. - -- Update/RequireDeferUpgrade -- Update/DeferUpgradePeriod -- Update/DeferUpdatePeriod -- Update/PauseDeferrals - -## Update management user experience screenshot +### Update management user experience screenshot The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields. -![mdm update management screenshot.](images/deviceupdatescreenshot1.png) +:::image type="content" source="images/deviceupdatescreenshot1.png" alt-text="mdm update management screenshot."::: -![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png) +:::image type="content" source="images/deviceupdatescreenshot2.png" alt-text="mdm update management metadata screenshot."::: - -## SyncML example +### SyncML example Set auto update to notify and defer. @@ -929,16 +188,21 @@ Set auto update to notify and defer. The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. -![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png) +:::image type="content" source="images/deviceupdatescreenshot3.png" alt-text="mdm device update management screenshot3."::: -![mdm device update management screenshot4](images/deviceupdatescreenshot4.png) +:::image type="content" source="images/deviceupdatescreenshot4.png" alt-text="mdm device update management screenshot4"::: -![mdm device update management screenshot5](images/deviceupdatescreenshot5.png) +:::image type="content" source="images/deviceupdatescreenshot5.png" alt-text="mdm device update management screenshot5"::: -![mdm device update management screenshot6](images/deviceupdatescreenshot6.png) +:::image type="content" source="images/deviceupdatescreenshot6.png" alt-text="mdm device update management screenshot6"::: -![mdm device update management screenshot7](images/deviceupdatescreenshot7.png) +:::image type="content" source="images/deviceupdatescreenshot7.png" alt-text="mdm device update management screenshot7"::: -![mdm device update management screenshot8](images/deviceupdatescreenshot8.png) +:::image type="content" source="images/deviceupdatescreenshot8.png" alt-text="mdm device update management screenshot8"::: -![mdm device update management screenshot9](images/deviceupdatescreenshot9.png) +:::image type="content" source="images/deviceupdatescreenshot9.png" alt-text="mdm device update management screenshot9"::: + +## Related articles + +- [Policy CSP - Update](mdm/policy-csp-update.md) +- [Policy configuration service provider](mdm/policy-configuration-service-provider.md) diff --git a/windows/client-management/disconnecting-from-mdm-unenrollment.md b/windows/client-management/disconnecting-from-mdm-unenrollment.md index 371357b658..6e4d3f8d8c 100644 --- a/windows/client-management/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/disconnecting-from-mdm-unenrollment.md @@ -1,41 +1,31 @@ --- title: Disconnecting from the management infrastructure (unenrollment) description: Disconnecting is initiated either locally by the user using a phone or remotely by the IT admin using management server. -MS-HAID: - - 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' - - 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/13/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Disconnecting from the management infrastructure (unenrollment) -The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. -The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. +The Disconnecting process is done either locally by the user who uses a phone or remotely by the IT administrator using management server. The user-initiated disconnection process is similar to the initial connection, wherein its initiation is from the same location in the Setting Control Panel as creating the workplace account. +The users choose to disconnect for any number of reasons, such as the ones described below: leaving the company or getting a new device or not needing access to their LOB apps on the old device, anymore. When an IT administrator initiates a disconnection, the enrollment client performs the disconnection during the next regular maintenance session. Administrators choose to disconnect users' device after they've left the company or because the device is regularly failing to comply with the organization's security settings policy. During disconnection, the client executes the following tasks: -- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. -- Removes certificates that are configured by MDM server. -- Ceases enforcement of the settings policies applied by the management infrastructure. -- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. -- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. - - -## In this topic - -- [User-initiated disconnection](#user-initiated-disconnection) -- [Server-initiated disconnection](#server-initiated-disconnection) -- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page) -- [IT admin–requested disconnection](#it-admin-requested-disconnection) -- [Unenrollment from Azure Active Directory Join](#dataloss) - +- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. +- Removes certificates that are configured by MDM server. +- Ceases enforcement of the settings policies applied by the management infrastructure. +- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. +- Reports successfully initiated disassociation to the management infrastructure if the admin initiated the process. In Windows, a user-initiated disassociation is reported to the server as a best effort. ## User-initiated disconnection @@ -44,16 +34,15 @@ In Windows, after the user confirms the account deletion command and before the This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. > [!NOTE] -> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). +> The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, see the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). -  The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic. -``` +```xml 1.2 @@ -100,10 +89,9 @@ The following sample shows an OMA DM first package that contains a generic alert After the previous package is sent, the unenrollment process begins. - ## Server-initiated disconnection -When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1. +When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with `messageid=1`. ```xml @@ -119,41 +107,29 @@ When the server initiates disconnection, all undergoing sessions for the enrollm ``` - - ## Unenrollment from Work Access settings page If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the Azure AD association to the device. You can only use the Work Access page to unenroll under the following conditions: -- Enrollment was done using bulk enrollment. -- Enrollment was created using the Work Access page. +- Enrollment was done using bulk enrollment. +- Enrollment was created using the Work Access page. - - ## Unenrollment from Azure Active Directory Join When a user is enrolled into MDM through Azure Active Directory Join and later, the enrollment disconnects, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. ![aadj unenerollment.](images/azure-ad-unenrollment.png) -During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be reimaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. +During the process in which a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the Azure Active Directory association is also removed. This safeguard is in place to avoid leaving the corporate devices in un-managed state. -Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. +Before remotely un-enrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device. - -## IT admin–requested disconnection +## IT admin-requested disconnection -The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. +The server requests an enterprise management disconnection by issuing an Exec OMA DM SyncML XML command to the device, using the DMClient configuration service provider's Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DMClient configuration topic. When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. - -  - - - - - diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 1fcb22e3c9..1aecb97d90 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -43,7 +43,7 @@ "ms.technology": "itpro-manage", "audience": "ITPro", "ms.topic": "article", - "manager": "dansimp", + "manager": "aaroncz", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", @@ -55,19 +55,26 @@ }, "titleSuffix": "Windows Client Management", "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", + "rjagiewich", + "traya1", + "rmca14", + "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins", + "american-dipper", + "angelamotherofdragons", + "v-stsavell", + "stacyrch140" ], - "searchScope": ["Windows 10"] + "searchScope": [ + "Windows 10" + ] }, "fileMetadata": {}, "template": [], "dest": "win-client-management", "markdownEngineName": "markdig" } -} +} \ No newline at end of file diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index 67353c881b..c60b1439b5 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -10,16 +10,17 @@ ms.localizationpriority: medium ms.date: 11/01/2017 ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Enable ADMX policies in MDM - -Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). - -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: + - Find the policy from the list ADMX policies. - Find the Group Policy related information from the MDM policy description. - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. @@ -27,21 +28,18 @@ Summary of steps to enable a policy: See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. - - - ## Enable a policy > [!NOTE] > See [Understanding ADMX policies in Policy CSP](understanding-admx-backed-policies.md). -1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX policies](mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. - GP Friendly name - GP name - GP ADMX file name - GP path -2. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc +1. Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc 1. Click **Start**, then in the text box type **gpedit**. @@ -61,7 +59,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Enable App-V client.](images/admx-appv-enableapp-vclient.png) -3. Create the SyncML to enable the policy that doesn't require any parameter. +1. Create the SyncML to enable the policy that doesn't require any parameter. In this example, you configure **Enable App-V Client** to **Enabled**. @@ -89,10 +87,8 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - ## Enable a policy that requires parameters - 1. Create the SyncML to enable the policy that requires parameters. In this example, the policy is in **Administrative Templates > System > App-V > Publishing**. @@ -103,23 +99,22 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png) - 2. Find the variable names of the parameters in the ADMX file. + 1. Find the variable names of the parameters in the ADMX file. You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](mdm/policy-csp-appvirtualization.md#publishingallowserver2). ![Publishing server 2 policy description.](images/admx-appv-policy-description.png) - 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. + 1. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. - 4. Search for GP name **Publishing_Server2_policy**. + 1. Search for GP name **Publishing_Server2_policy**. - - 5. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. + 1. Under **policy name="Publishing_Server2_Policy"** you can see the \ listed. The *text id* and *enum id* represent the *data id* you need to include in the SyncML data payload. They correspond to the fields you see in the Group Policy Editor. Here's the snippet from appv.admx: ```xml - + @@ -206,7 +201,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 6. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. + 1. From the **\** tag, copy all of the *text id* and *enum id* and create an XML with *data id* and *value* fields. The *value* field contains the configuration settings that you would enter in the Group Policy Editor. Here's the example XML for Publishing_Server2_Policy: @@ -223,7 +218,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - 7. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. + 1. Create the SyncML to enable the policy. Payload contains \ and name/value pairs. Here's the example for **AppVirtualization/PublishingAllowServer2**: @@ -263,7 +258,6 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/ ``` - ## Disable a policy The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2. diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 8bffb182d7..fc976f6277 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -1,322 +1,146 @@ --- -title: Enroll a Windows 10 device automatically using Group Policy +title: Enroll a Windows device automatically using Group Policy description: Learn how to use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 04/30/2022 +ms.date: 04/13/2023 ms.reviewer: manager: aaroncz ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Enroll a Windows 10 device automatically using Group Policy +# Enroll a Windows device automatically using Group Policy -**Applies to:** - -- Windows 11 -- Windows 10 - -Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. +You can use a Group Policy to trigger auto-enrollment to Mobile Device Management (MDM) for Active Directory (AD) domain-joined devices. The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This cause-and-effect mechanism means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account. -Requirements: -- Active Directory-joined PC running Windows 10, version 1709 or later -- The enterprise has configured a mobile device management (MDM) service -- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad) -- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) +**Requirements**: + +- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). +- The enterprise has configured a Mobile Device Management (MDM) service. +- The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). +- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`). - The minimum Windows Server version requirement is based on the Hybrid Azure AD join requirement. For more information, see [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan). > [!TIP] > For more information, see the following topics: +> > - [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD–registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. -In Windows 10, version 1709 or later, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. Since Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). +- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. +- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices. -## Verify auto-enrollment requirements and settings - -To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. -The following steps demonstrate required settings using the Intune service: - -1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). - - :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: - -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). - - ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) - - > [!IMPORTANT] - > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. - > - > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. - -3. Verify that the device OS version is Windows 10, version 1709 or later. - -4. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. - - You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. - - ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) - - Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. - - ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) - - This information can also be found on the Azure AD device list. - - ![Azure AD device list.](images/azure-ad-device-list.png) - -5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc - - ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) - -6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. - - :::image type="content" alt-text="Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: - -7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. - -You may contact your domain administrators to verify if the group policy has been deployed successfully. - -8. Verify that the device isn't enrolled with the old Intune client used on the Intune Silverlight Portal (the Intune portal used before the Azure portal). - -9. Verify that Microsoft Intune should allow enrollment of Windows devices. - - :::image type="content" alt-text="Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: - -## Configure the auto-enrollment Group Policy for a single PC - -This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). - -Requirements: -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured -- Enterprise AD must be registered with Azure AD - -1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. - - ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png) - -2. Under **Best match**, select **Edit group policy** to launch it. - -3. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. - - :::image type="content" alt-text="MDM policies." source="images/autoenrollment-mdm-policies.png" lightbox="images/autoenrollment-mdm-policies.png"::: - -4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the **Selected Credential Type to use**. - - :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: - -5. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. - - > [!NOTE] - > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. - > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). - - When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory." - - To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). - - If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - - ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png) - - > [!Tip] - > You can avoid this behavior by using Conditional Access Policies in Azure AD. - Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - -6. To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account. - -7. Select **Info** to see the MDM enrollment information. - - ![Work School Settings.](images/autoenrollment-settings-work-school.png) - - If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app). - - -### Task Scheduler app - -1. Select **Start**, then in the text box type `task scheduler`. - - ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png) - -2. Under **Best match**, select **Task Scheduler** to launch it. - -3. In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - - :::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - - To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). You can see the logs in the **History** tab. - - If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - - > [!NOTE] - > The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - ## Configure the auto-enrollment for a group of devices -Requirements: -- AD-joined PC running Windows 10, version 1709 or later -- Enterprise has MDM service already configured (with Intune or a third-party service provider) -- Enterprise AD must be integrated with Azure AD. -- Ensure that PCs belong to same computer group. +To configure auto-enrollment using a group policy, use the following steps: -> [!IMPORTANT] -> If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. +1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +1. Create a Security Group for the PCs. +1. Link the GPO. +1. Filter using Security Groups. -1. Download: +If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. Note that the latest MDM.admx is backwards compatible. - - 1803 --> [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) +1. Download the administrative templates for the desired version: - - 1809 --> [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) + - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) + - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) + - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) + - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) + - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) + - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) + - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) + - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) + - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) +1. Install the package on the Domain Controller. - - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) +1. Navigate to `C:\Program Files (x86)\Microsoft Group Policy`, and locate the appropriate sub-directory depending on the installed version. - - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - - - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - - - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - - - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - - - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - - - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - -2. Install the package on the Domain Controller. - -3. Navigate, depending on the version to the folder: - - - 1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2** - - - 1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2** - - - 1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3** - - - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - - - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - - - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - - - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - - - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - - - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** - -4. Rename the extracted Policy Definitions folder to `PolicyDefinitions`. - -5. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. +1. Copy the PolicyDefinitions folder to `\\contoso.com\SYSVOL\contoso.com\policies\PolicyDefinitions`. If this folder doesn't exist, then you'll be switching to a [central policy store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) for your entire domain. -6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. +1. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. -This procedure will work for any future version as well. +## Configure the auto-enrollment Group Policy for a single PC -1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**. +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It's not recommended for the production environment in the enterprise. -2. Create a Security Group for the PCs. +1. Run `GPEdit.msc`. Choose **Start**, then in the text box type `gpedit`. -3. Link the GPO. +1. Under **Best match**, select **Edit group policy** to launch it. -4. Filter using Security Groups. +1. In **Local Computer Policy**, select **Administrative Templates** > **Windows Components** > **MDM**. -## Troubleshoot auto-enrollment of devices +1. Double-click **Enable automatic MDM enrollment using default Azure AD credentials**. Select **Enable**, select **User Credential** from the dropdown **Select Credential Type to Use**, then select **OK**. -Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. + :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: -To collect Event Viewer logs: + > [!NOTE] + > In Windows 10, version 1903 and later, the MDM.admx file was updated to include the **Device Credential** option to select which credential is used to enroll the device. The default behavior for older releases is to revert to **User Credential**. + > + > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). -1. Open Event Viewer. +When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). -2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. +If two-factor authentication is required, you'll be prompted to complete the process. Here's an example screenshot. - > [!Tip] - > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). +:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification."::: -3. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: +> [!TIP] +> You can avoid this behavior by using Conditional Access Policies in Azure AD. Learn more by reading [What is Conditional Access?](/azure/active-directory/conditional-access/overview). - :::image type="content" alt-text="Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: +## Verify enrollment - If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: +To verify successful enrollment to MDM, go to **Start** > **Settings** > **Accounts** > **Access work or school**, then select your domain account.Select **Info** to see the MDM enrollment information. - - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: +:::image type="content" source="images/autoenrollment-settings-work-school.png" alt-text="Screenshot of Work School Settings."::: - :::image type="content" alt-text="Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: +> [!NOTE] +> If you don't see the **Info** button or the enrollment information, enrollment might have failed. Check the status in [Task Scheduler app](#task-scheduler-app) and see [Diagnose MDM enrollment](./mdm-diagnose-enrollment.md). - To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). +## Task Scheduler app - - The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described in the following section. +Select **Start**, then in the text box type `task scheduler`. Under **Best match**, select **Task Scheduler** to launch it. - The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: +In **Task Scheduler Library**, open **Microsoft > Windows** , then select **EnterpriseMgmt**. - :::image type="content" alt-text="Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: +:::image type="content" alt-text="Auto-enrollment scheduled task." source="images/autoenrollment-scheduled-task.png" lightbox="images/autoenrollment-scheduled-task.png"::: - > [!Note] - > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. +To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. You can see the logs in the **History** tab. - This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: - **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. +The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy. - :::image type="content" alt-text="Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: +> [!NOTE] +> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies. - When the task is completed, a new event ID 102 is logged. - - :::image type="content" alt-text="Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: - - The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. - - If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. - One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: - - :::image type="content" alt-text="Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: - - By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. - - A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: - - :::image type="content" alt-text="Manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: - -### Related topics +## Related topics - [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) - [Create and Edit a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754740(v=ws.11)) - [Link a Group Policy Object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732979(v=ws.11)) - [Filter Using Security Groups](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc752992(v=ws.11)) - [Enforce a Group Policy Object Link](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753909(v=ws.11)) -- [Group Policy Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) - [Getting started with Cloud Native Windows Endpoints](/mem/cloud-native-windows-endpoints) -- [A Framework for Windows endpoint management transformation](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/a-framework-for-windows-endpoint-management-transformation/ba-p/2460684) -- [Success with remote Windows Autopilot and Hybrid Azure Active Director join](https://techcommunity.microsoft.com/t5/intune-customer-success/success-with-remote-windows-autopilot-and-hybrid-azure-active/ba-p/2749353) - - -### Useful Links -- [Windows 10 Administrative Templates for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) -- [Windows 10 Administrative Templates for Windows 10 May 2021 Update 21H1](https://www.microsoft.com/download/details.aspx?id=103124) -- [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591) -- [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495) -- [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576) diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index 6646d4df78..197087b7dc 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -1,170 +1,51 @@ --- title: Enterprise app management -description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. -ms.reviewer: +description: This article covers one of the key mobile device management (MDM) features for managing the lifecycle of apps across Windows devices. +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 10/04/2021 +ms.date: 04/13/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Enterprise app management -This article covers one of the key mobile device management (MDM) features in Windows 10. It manages the lifecycle of apps across all of Windows. It's the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps. +This article will discuss one of the key features of Windows' Mobile Device Management (MDM) capabilities: the ability to manage apps' lifecycle on all Windows devices. This includes both Store and non-Store apps, which can be managed natively through MDM. + +By using Windows MDM to manage app lifecycles, administrators can deploy and manage updates, remove outdated or unused apps, and ensure that all devices have the necessary apps installed to meet the organization's needs. This feature streamlines the app management process and saves time and effort for IT professionals. ## Application management goals -Windows 10 offers the ability for management servers to: +Windows offers the ability for management servers to: -- Install apps directly from the Microsoft Store for Business -- Deploy offline Store apps and licenses -- Deploy line-of-business (LOB) apps (non-Store apps) -- Inventory all apps for a user (Store and non-Store apps) -- Inventory all apps for a device (Store and non-Store apps) -- Uninstall all apps for a user (Store and non-Store apps) -- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Remove the provisioned app on the device running Windows 10 for desktop editions +- Install apps directly from the Microsoft Store for Business +- Deploy offline Store apps and licenses +- Deploy line-of-business (LOB) apps (non-Store apps) +- Inventory all apps for a user (Store and non-Store apps) +- Inventory all apps for a device (Store and non-Store apps) +- Uninstall all apps for a user (Store and non-Store apps) +- Provision apps so they're installed for all users of a device running Windows desktop editions (Home, Pro, Enterprise, and Education) +- Remove the provisioned app on the device running Windows desktop editions -## Inventory your apps +## Inventory apps -Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: +Windows lets you inventory all apps deployed to a user, and inventory all apps for all users of a Windows device. The [EnterpriseModernAppManagement](mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications: -- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business -- nonStore - Apps that weren't acquired from the Microsoft Store. -- System - Apps that are part of the OS. You can't uninstall these apps. This classification is read-only and can only be inventoried. +- **Store**: Apps that have been acquired from the Microsoft Store, either directly or delivered with the enterprise from the Store for Business. +- **nonStore**: Apps that were not acquired from the Microsoft Store. +- **System**: Apps that are part of the operating system and cannot be uninstalled. This classification is read-only and can only be inventoried. -These classifications are represented as nodes in the EnterpriseModernAppManagement CSP. +Each app is identified by one package family name and one or more package full names, and the apps are grouped based on their origin. The EnterpriseModernAppManagement CSP displays these classifications as nodes. -The following information shows the EnterpriseModernAppManagement CSP in a tree format: +Inventory can be run recursively at any level from the AppManagement node through the package full name. You can also choose to inventory specific attributes only. The inventory is specific to the package full name and lists bundled and resource packs as applicable under the package family name. -```console -./Device/Vendor/MSFT -or -./User/Vendor/MSFT -EnterpriseAppManagement -----AppManagement ---------UpdateScan ---------LastScanError ---------AppInventoryResults ---------AppInventoryQuery ---------RemovePackage ---------AppStore -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemovable -----------ReleaseManagement -------------ReleaseManagementKey ---------------ChannelId ---------------ReleaseId ---------------EffectiveRelease ------------------ChannelId ------------------ReleaseId ---------nonStore -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemoveable ---------System -----------PackageFamilyName -------------PackageFullName ---------------Name ---------------Version ---------------Publisher ---------------Architecture ---------------InstallLocation ---------------IsFramework ---------------IsBundle ---------------InstallDate ---------------ResourceID ---------------RequiresReinstall ---------------PackageStatus ---------------Users ---------------IsProvisioned ---------------IsStub -------------DoNotUpdate -------------AppSettingPolicy ---------------SettingValue -------------MaintainProcessorArchitectureOnUpdate -------------NonRemoveable -----AppInstallation ---------PackageFamilyName -----------StoreInstall -----------HostedInstall -----------LastError -----------LastErrorDesc -----------Status -----------ProgressStatus -----AppLicenses ---------StoreLicenses -----------LicenseID -------------LicenseCategory -------------LicenseUsage -------------RequesterID -------------AddLicense -------------GetLicenseFromStore -``` - -Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). - -Inventory can run recursively at any level from the AppManagement node through the package full name. Inventory can also run only for a specific inventory attribute. - -Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name. - -Here are the nodes for each package full name: - -- Name -- Version -- Publisher -- Architecture -- InstallLocation -- IsFramework -- IsBundle -- InstallDate -- ResourceID -- RequiresReinstall -- PackageStatus -- Users -- IsProvisioned - -For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). +For more information on each node, refer to the detailed descriptions provided in the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). ### App inventory @@ -172,126 +53,121 @@ You can use the EnterpriseModernAppManagement CSP to query for all apps installe Doing a full inventory of a device can be resource-intensive based on the hardware and number of apps that are installed. The data returned can also be large. You may want to chunk these requests to reduce the impact to clients and network traffic. -Here's an example of a query for all apps on the device. +- Example query for all apps on the device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData + + + + ``` -Here's an example of a query for a specific app for a user. +- Example query for a specific app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData + + + + ``` ### Store license inventory You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses, event if they were installed via MDM or other methods. Inventory can run at the user or device level. Inventory at the device level will return information for all users on the device. -Here are the nodes for each license ID: - -- LicenseCategory -- LicenseUsage -- RequestedID - For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md). > [!NOTE] > The LicenseID in the CSP is the content ID for the license. -Here's an example of a query for all app licenses on a device. +- Here's an example of a query for all app licenses on a device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData + + + + ``` -Here's an example of a query for all app licenses for a user. +- Here's an example of a query for all app licenses for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData + + + + ``` ## Enable the device to install non-Store apps -There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. +There are two basic types of apps you can deploy: + +- Store apps. +- Enterprise signed apps. + +To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root, or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. ### Unlock the device for non-Store apps -To deploy apps that aren't from the Microsoft Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). +To deploy apps that aren't from the Microsoft Store, you must configure the [ApplicationManagement/AllowAllTrustedApps](mdm/policy-csp-applicationmanagement.md) policy. This policy allows the installation of non-Store apps on the device if there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). -The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. +The AllowAllTrustedApps policy enables the installation of apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. -For more information about the AllowAllTrustedApps policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). - -Here are some examples. +Here's an example: ```xml - 1 - - +1 + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAllTrustedApps?list=StructData - - + + - 2 - - +2 + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps - - + + int text/plain - - 1 - + + 1 + ``` ### Unlock the device for developer mode -Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP. +Development of apps on Windows devices no longer requires a special license. You can enable debugging and deployment of non-packaged apps using [ApplicationManagement/AllowDeveloperUnlock](mdm/policy-csp-applicationmanagement.md) policy in Policy CSP. AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock isn't configured by default, which means only Microsoft Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device. -Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. - -For more information about the AllowDeveloperUnlock policy, see [Policy CSP](mdm/policy-configuration-service-provider.md). +Deployment of apps to Windows devices requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Here's an example. @@ -321,7 +197,7 @@ Here's an example. ``` -## Install your apps +## Install apps You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) to install apps. @@ -333,47 +209,46 @@ If you purchased an app from the Store for Business and the app is specified for Here are the requirements for this scenario: -- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. -- The device requires connectivity to the Microsoft Store. -- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. -- The user must be signed in with their Azure AD identity. +- The app is assigned to a user Azure Active Directory (Azure AD) identity in the Store for Business. You can assign directly in the Store for Business or through a management server. +- The device requires connectivity to the Microsoft Store. +- Microsoft Store services must be enabled on the device. The UI for the Microsoft Store can be disabled by the enterprise admin. +- The user must be signed in with their Azure AD identity. -Here are some examples. +Here's an example: ```xml - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall - - - xml - - - + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall + + + xml + + + + + ``` Here are the changes from the previous release: -1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool. -2. The value for flags can be "0" or "1" - - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. - -3. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. +1. The `{CatID}` reference should be updated to `{ProductID}`. This value is acquired as a part of the Store for Business management tool. +1. The value for flags can be 0 or 1. + - When using "0", the management tool calls back to the Store for Business sync to assign a user a seat of an application. + - When using "1", the management tool doesn't call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. +1. The `skuid` is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. ### Deploy an offline license to a user -If you purchased an app from the Store for Business, the app license must be deployed to the device. +If you purchased an app from the Store for Business, the app license must be deployed to the device. The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. -The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. +In the SyncML, you need to specify the following information in the `Exec` command: -In the SyncML, you need to specify the following information in the Exec command: - -- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. -- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. +- License ID - This ID is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. +- License Content - This content is specified in the data section. The License Content is the Base64 encoded blob of the license. Here's an example of an offline license installation. @@ -392,7 +267,6 @@ Here's an example of an offline license installation. ``` - ### Deploy apps to a user from a hosted location If you purchased an app from the Store for Business and the app is specified for an offline license or the app is a non-Store app, the app must be deployed from a hosted location. @@ -409,106 +283,106 @@ Here are the requirements for this scenario: The Add command for the package family name is required to ensure proper removal of the app at unenrollment. -Here's an example of a line-of-business app installation. +- Here's an example of a line-of-business app installation. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + ``` -Here's an example of an app installation with dependencies. +- Here's an example of an app installation with dependencies. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + ``` -Here's an example of an app installation with dependencies and optional packages. +- Here's an example of an app installation with dependencies and optional packages. -```xml - - - 0 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + + + + + ``` ### Provision apps for all users of a device @@ -528,124 +402,116 @@ To provision app for all users of a device from a hosted location, the managemen > [!NOTE] > When you remove the provisioned app, it will not remove it from the users that already installed the app. -Here's an example of app installation. +- Here's an example of app installation: -> [!NOTE] -> This is only supported in Windows 10 for desktop editions. + ```xml + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + ``` -```xml - - - 0 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - -``` + The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: -The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: + - Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. + - Dependencies can be specified if required to be installed with the package. This is optional. -- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPS location. -- Dependencies can be specified if required to be installed with the package. This is optional. + The DeploymentOptions parameter is only available in the user context. -The DeploymentOptions parameter is only available in the user context. +- Here's an example of app installation with dependencies. -Here's an example of app installation with dependencies. - -> [!NOTE] -> This is only supported in Windows 10 for desktop editions. - -```xml - - - 0 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName - - - - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall - - - xml - - - - - - - - - - - -``` + ```xml + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + ``` ### Get status of app installations When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here's the list of information you can get back in the query: -- Status - indicates the status of app installation. - - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. - - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. - - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. - - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. -- LastError - The last error reported by the app deployment server. -- LastErrorDescription - Describes the last error reported by the app deployment server. -- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. +- Status - indicates the status of app installation. + - NOT\_INSTALLED (0) - The node was added, but the execution wasn't completed. + - INSTALLING (1) - Execution has started, but the deployment hasn't completed. If the deployment completes regardless of success, then this value is updated. + - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. + - INSTALLED (3) - Once an install is successful this node is cleaned up. If the clean up action hasn't completed, then this state may briefly appear. +- LastError - The last error reported by the app deployment server. +- LastErrorDescription - Describes the last error reported by the app deployment server. +- Status - An integer that indicates the progress of the app installation. In cases of an HTTPS location, this status shows the estimated download progress. Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. - Status isn't available for provisioning and only used for user-based installations. For provisioning, the value is always 0. +When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the [AppManagement node](mdm/enterprisemodernappmanagement-csp.md#deviceappmanagement). -When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node. +- Here's an example of a query for a specific app installation. -Here's an example of a query for a specific app installation. + ```xml + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData + + + + ``` -```xml - - - 2 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData - - - -``` +- Here's an example of a query for all app installations. -Here's an example of a query for all app installations. - -```xml - - - 2 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData - - - -``` + ```xml + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData + + + + ``` ### Alert for installation completion @@ -670,51 +536,50 @@ Here's an example of an alert. ``` -For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path. +For user-based installation, use the `./User` path and for provisioning of apps, use the `./Device` path. The Data field value of 0 (zero) indicates success. Otherwise it's an error code. If there's a failure, you can get more details from the AppInstallation node. > [!NOTE] -> At this time, the alert for Store app installation isn't yet available. - +> At this time, the alert for Store app installation isn't available. ## Uninstall your apps -You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: +You can uninstall apps from users from Windows devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: -- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. -- nonStore - These apps that weren't acquired from the Microsoft Store. -- System - These apps are part of the OS. You can't uninstall these apps. +- AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. +- nonStore - These apps that weren't acquired from the Microsoft Store. +- System - These apps are part of the OS. You can't uninstall these apps. To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family name and package full name. -Here's an example for uninstalling all versions of an app for a user. + Here's an example for uninstalling all versions of an app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + + ``` -Here's an example for uninstalling a specific version of the app for a user. +-Here's an example for uninstalling a specific version of the app for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + + ``` ### Removed provisioned apps from a device @@ -723,70 +588,69 @@ You can remove provisioned apps from a device for a specific version, or for all > [!NOTE] > You can only remove an app that has an inventory value IsProvisioned = 1. - Removing provisioned app occurs in the device context. -Here's an example for removing a provisioned app from a device. +- Here's an example for removing a provisioned app from a device. -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + + ``` -Here's an example for removing a specific version of a provisioned app from a device: +- Here's an example for removing a specific version of a provisioned app from a device: -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + + ``` ### Remove a store app license You can remove app licenses from a device per app based on the content ID. -Here's an example for removing an app license for a user. +- Here's an example for removing an app license for a user. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + + ``` -Here's an example for removing an app license for a provisioned package (device context). +- Here's an example for removing an app license for a provisioned package (device context). -```xml - - - 1 - - - ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} - - - -``` + ```xml + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + + ``` -### Alert for app uninstallation +### Alert for app uninstall Uninstallation of an app can take some time complete. So, the uninstall is run asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success. @@ -818,33 +682,33 @@ Apps installed on a device can be updated using the management server. Apps can To update an app from Microsoft Store, the device requires contact with the store services. -Here's an example of an update scan. +- Here's an example of an update scan. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan + + + + ``` -Here's an example of a status check. +- Here's an example of a status check. -```xml - - - 1 - - - ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError - - - -``` + ```xml + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError + + + + ``` ### Update apps from a hosted location @@ -863,7 +727,7 @@ Turning off updates only applies to updates from the Microsoft Store at the devi Here's an example. ```xml - + 1 @@ -889,9 +753,9 @@ The Universal Windows app can share application data between the users of the de > [!NOTE] > This is only applicable to multi-user devices. -The AllowSharedUserAppData policy in [Policy CSP](mdm/policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. +The [ApplicationManagement/AllowSharedUserAppData](mdm/policy-csp-applicationmanagement.md) policy enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. -If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it). +If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((`/Get-ProvisionedAppxPackage` to detect if there's any shared data, and `/Remove-SharedAppxData` to remove it). The valid values are 0 (off, default value) and 1 (on). diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 5acabf7ab8..48902df441 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -8,20 +8,36 @@ ms.author: vinpa ms.topic: conceptual ms.technology: itpro-manage ms.date: 12/31/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. - If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: + +The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. + +The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management. + +If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: + - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: - - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for MDM providers to manager eSIM profiles for enterprise use cases. However, Windows doesn't limit how ecosystem partners offer this service to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. + + As an MDM provider, if you're looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. + + Potential orchestrator providers you could contact include: + + - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) + - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) + - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. - Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution -- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. +- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used -**Note:** End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. + +> [!NOTE] +> End users don't notice the solution type. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/federated-authentication-device-enrollment.md b/windows/client-management/federated-authentication-device-enrollment.md index a50c18383c..7ae977249a 100644 --- a/windows/client-management/federated-authentication-device-enrollment.md +++ b/windows/client-management/federated-authentication-device-enrollment.md @@ -1,14 +1,17 @@ --- title: Federated authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 07/28/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Federated authentication device enrollment @@ -17,28 +20,23 @@ This section provides an example of the mobile device enrollment protocol using The `` element the discovery response message specifies web authentication broker page start URL. -For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). -## In this topic - -[Discovery service](#discovery-service) -[Enrollment policy web service](#enrollment-policy-web-service) -[Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. -The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. +The following example shows a request via HTTP GET to the discovery server given `user@contoso.com` as the email address. ```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc @@ -70,16 +68,16 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: -1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it's redirected: - - If the device isn't redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the server cert isn't trusted by the device, the HTTPS fails. +1. If that fails, the device tries HTTP to see whether it's redirected: + - If the device isn't redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. -The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address +The following example shows a request via an HTTP POST command to the discovery web service given `user@contoso.com` as the email address ```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc @@ -90,64 +88,68 @@ The following example shows the discovery service request. ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc - - - - - - user@contoso.com - 3 - 3.0 - WindowsPhone - 10.0.0.0 - - OnPremise - Federated - - - - + xmlns:s="http://www.w3.org/2003/05/soap-envelope"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 3 + + 3.0 + + WindowsPhone + + 10.0.0.0 + + OnPremise + Federated + + + + ``` The discovery response is in the XML format and includes the following fields: -- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- In Windows, Federated is added as another supported value. This addition allows the server to use the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. -> [!Note] +> [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be used by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. -> [!Note] +> [!NOTE] > Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: -> - Parse the OS version from the data sent up during the discovery request. -> - Append the OS version as a parameter in the AuthenticationServiceURL. -> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. +> +> - Parse the OS version from the data sent up during the discovery request. +> - Append the OS version as a parameter in the AuthenticationServiceURL. +> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. -A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. +A new XML tag, **AuthenticationServiceUrl**, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. -> [!Note] +> [!NOTE] > The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. The following are the explicit requirements for the server. -- The ```` element must support HTTPS. -- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. -- WP doesn’t support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. +- The ```` element must support HTTPS. +- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. +- WP doesn't support Windows Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. The enrollment client issues an HTTPS request as follows: @@ -164,7 +166,7 @@ After authentication is complete, the auth server should return an HTML form doc > To make an application compatible with strict Content Security Policy, it's usually necessary to make some changes to HTML templates and client-side code, add the policy header, and test that everything works properly once the policy is deployed. ```html -HTTP/1.1 200 OK +HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding Content-Length: 556 @@ -196,35 +198,34 @@ The following example shows a response received from the discovery web service t ```xml - - - http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse - - - d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 - - urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 - - - - - Federated - 3.0 - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - https://portal.manage.contoso.com/LoginRedirect.aspx - - - - + xmlns:a="http://www.w3.org/2005/08/addressing"> + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + Federated + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://portal.manage.contoso.com/LoginRedirect.aspx + + + + ``` @@ -236,12 +237,12 @@ This web service implements the X.509 Certificate Enrollment Policy Protocol (MS For Federated authentication policy, the security token credential is provided in a request message using the `` element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows: -- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. -- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. +- wsse:Security: The enrollment client implements the `` element defined in \[WSS\] section 5. The `` element must be a child of the `` element. +- wsse:BinarySecurityToken: The enrollment client implements the `` element defined in \[WSS\] section 6.3. The `` element must be included as a child of the `` element in the SOAP header. As was described in the discovery response section, the inclusion of the `` element is opaque to the enrollment client, and the client doesn't interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the `` element of `` and the enterprise server. -The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. +The `` element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the `` element. - wsse:BinarySecurityToken/attributes/ValueType: The `` ValueType attribute must be `http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken`. @@ -251,42 +252,39 @@ The following example is an enrollment policy request with a received security t ```xml - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - B64EncodedSampleBinarySecurityToken - - - - - - - - - - - - + xmlns:a="http://www.w3.org/2005/08/addressing" + xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" + xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" + xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" + xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization"> + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + + + + + + ``` @@ -386,7 +384,7 @@ The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft. The RST may also specify many AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. -> [!Note] +> [!NOTE] > The policy service and the enrollment service must be on the same server; that is, they must have the same host name. The following example shows the enrollment web service request for federated authentication. @@ -474,15 +472,15 @@ The following example shows the enrollment web service request for federated aut After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR). -> [!Note] +> [!NOTE] > The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message. Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (`http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc`), because the token is more than an X.509 v3 certificate. The provisioning XML contains: -- The requested certificates (required) -- The DM client configuration (required) +- The requested certificates (required) +- The DM client configuration (required) The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there's one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. @@ -495,8 +493,8 @@ Here's a sample RSTR message and a sample of OMA client provisioning XML within The following example shows the enrollment web service response. ```xml - @@ -512,7 +510,7 @@ The following example shows the enrollment web service response. - @@ -520,7 +518,7 @@ The following example shows the enrollment web service response. - @@ -548,7 +546,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -558,7 +556,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -602,7 +600,7 @@ The following code shows sample provisioning XML (presented in the preceding pac - + @@ -614,15 +612,15 @@ The following code shows sample provisioning XML (presented in the preceding pac ``` > [!NOTE] -> -> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. -> -> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. -> -> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. -> -> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. -> -> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. -> -> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. +> +> - `` and `` elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. +> +> - In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. +> +> - Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. +> +> - The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. +> +> - Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. +> +> - CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. diff --git a/windows/client-management/group-policies-for-enterprise-and-education-editions.md b/windows/client-management/group-policies-for-enterprise-and-education-editions.md deleted file mode 100644 index 3f1e0ef47a..0000000000 --- a/windows/client-management/group-policies-for-enterprise-and-education-editions.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: Group Policy settings that apply only to Windows 10 Enterprise and Education Editions (Windows 10) -description: Use this topic to learn about Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education. -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: troubleshooting -ms.technology: itpro-manage ---- - -# Group Policy settings that apply only to Windows 10 Enterprise and Education Editions - -**Applies to** -- Windows 10 -- Windows 11 - - -In Windows 10, version 1607, the following Group Policy settings apply only to Windows 10 Enterprise and Windows 10 Education. - -| Policy name | Policy path | Comments | -| --- | --- | --- | -| **Configure Spotlight on lock screen** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight). Note that an additional **Cloud Content** policy, **Do not suggest third-party content in Windows spotlight**, does apply to Windows 10 Pro. | -| **Turn off all Windows Spotlight features** | User Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Turn off Microsoft consumer features** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Do not display the lock screen** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Do not require CTRL+ALT+DEL**
combined with
**Turn off app notifications on the lock screen** | Computer Configuration > Administrative Templates > System > Logon
and
Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Interactive logon | When both of these policy settings are enabled, the combination will also disable lock screen apps ([assigned access](/windows/configuration/set-up-a-device-for-anyone-to-use)) on Windows 10 Enterprise and Windows 10 Education only. These policy settings can be applied to Windows 10 Pro, but lock screen apps will not be disabled on Windows 10 Pro.

**Important:** The description for **Interactive logon: Do not require CTRL+ALT+DEL** in the Group Policy Editor incorrectly states that it only applies to Windows 10 Enterprise and Education. The description will be corrected in a future release.| -| **Do not show Windows Tips** | Computer Configuration > Administrative Templates > Windows Components > Cloud Content | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Force a specific default lock screen image** | Computer Configuration > Administrative Templates > Control Panel > Personalization | For more info, see [Windows spotlight on the lock screen](/windows/configuration/windows-spotlight) | -| **Start layout** | User Configuration\Administrative Templates\Start Menu and Taskbar | In Windows 10, version 1703, this policy setting can be applied to Windows 10 Pro. For more info, see [Manage Windows 10 Start layout options and policies](/windows/configuration/windows-10-start-layout-options-and-policies) | -| **Turn off the Store application** | Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application

User Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application | For more info, see [Knowledge Base article# 3135657](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store). | -| **Only display the private store within the Microsoft Store app** | Computer Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app

User Configuration > Administrative Templates > Windows Components > Store > Only display the private store within the Microsoft Store app | For more info, see [Manage access to private store](/microsoft-store/manage-access-to-private-store) | -| **Don't search the web or display web results** | Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results | For more info, see [Cortana integration in your enterprise](/windows/configuration/cortana-at-work/cortana-at-work-overview) | - - - - diff --git a/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png b/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png index 5f7fb2c44b..f35f11cc5d 100644 Binary files a/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png and b/windows/client-management/images/auto-enrollment-enrollment-of-windows-devices.png differ diff --git a/windows/client-management/images/azure-ad-device-list.png b/windows/client-management/images/azure-ad-device-list.png deleted file mode 100644 index 607c36c307..0000000000 Binary files a/windows/client-management/images/azure-ad-device-list.png and /dev/null differ diff --git a/windows/client-management/images/implement-server-side-mobile-application-management.png b/windows/client-management/images/implement-server-side-mobile-application-management.png index 88555f2d3b..822b7f7ea0 100644 Binary files a/windows/client-management/images/implement-server-side-mobile-application-management.png and b/windows/client-management/images/implement-server-side-mobile-application-management.png differ diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 91645ea1af..01cff16e92 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -6,15 +6,19 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/03/2022 +ms.date: 04/05/2023 ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # Support for mobile application management on Windows -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). + +[!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)] ## Integration with Azure AD @@ -22,7 +26,7 @@ MAM on Windows is integrated with Azure Active Directory (Azure AD) identity ser MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user's actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM. In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft 365 apps. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. Regular non-admin users can enroll to MAM. @@ -34,15 +38,15 @@ To make applications WIP-aware, app developers need to include the following dat ``` syntax // Mark this binary as Allowed for WIP (EDP) purpose - MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID - BEGIN - 0x0001 - END +MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID + BEGIN + 0x0001 + END ``` ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: @@ -83,12 +87,12 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. -- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support. - [DevInfo CSP](mdm/devinfo-csp.md). - [DMAcc CSP](mdm/dmacc-csp.md). - [DMClient CSP](mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL. - [EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies. -- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support. - [PassportForWork CSP](mdm/passportforwork-csp.md) for Windows Hello for Business PIN management. - [Policy CSP](mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas. - [Reporting CSP](mdm/reporting-csp.md) for retrieving Windows Information Protection logs. @@ -127,13 +131,3 @@ In the process of changing MAM enrollment to MDM, MAM policies will be removed f - EDP CSP RevokeOnMDMHandoff is set to false. If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account won't be affected. - -## Skype for Business compliance with MAM - -We've updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. - -|Update channel|Primary purpose|LOB Tattoo availability|Default update channel for the products| -|--- |--- |--- |--- | -|[Current channel](/deployoffice/overview-update-channels#BKMK_CB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|March 9 2017|Visio Pro for Office 365
Project Desktop Client
Microsoft 365 Apps for business (the version of Office that comes with some Microsoft 365 plans, such as Business Premium.)| -|[Deferred channel](/deployoffice/overview-update-channels#BKMK_CBB)|Provide users with new features of Office only a few times a year.|October 10 2017|Microsoft 365 Apps for enterprise| -|[First release for deferred channel](/deployoffice/overview-update-channels#BKMK_FRCBB)|Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel.|June 13 2017|| diff --git a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md b/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md deleted file mode 100644 index 57b5523dd9..0000000000 --- a/windows/client-management/includes/allow-a-shared-books-folder-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account. diff --git a/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md b/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md deleted file mode 100644 index 031d179b36..0000000000 --- a/windows/client-management/includes/allow-address-bar-drop-down-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings. diff --git a/windows/client-management/includes/allow-adobe-flash-shortdesc.md b/windows/client-management/includes/allow-adobe-flash-shortdesc.md deleted file mode 100644 index 45365c58bd..0000000000 --- a/windows/client-management/includes/allow-adobe-flash-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running. diff --git a/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md b/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md deleted file mode 100644 index 82ccb5f2ed..0000000000 --- a/windows/client-management/includes/allow-clearing-browsing-data-on-exit-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes. diff --git a/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md b/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md deleted file mode 100644 index f8b89a8e2e..0000000000 --- a/windows/client-management/includes/allow-configuration-updates-for-books-library-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file. diff --git a/windows/client-management/includes/allow-developer-tools-shortdesc.md b/windows/client-management/includes/allow-developer-tools-shortdesc.md deleted file mode 100644 index 41176ffb3b..0000000000 --- a/windows/client-management/includes/allow-developer-tools-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools. diff --git a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md b/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md deleted file mode 100644 index 3c9d3f6b42..0000000000 --- a/windows/client-management/includes/allow-extended-telemetry-for-books-tab-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and more diagnostic data, such as usage data. diff --git a/windows/client-management/includes/allow-extensions-shortdesc.md b/windows/client-management/includes/allow-extensions-shortdesc.md deleted file mode 100644 index 8276b06760..0000000000 --- a/windows/client-management/includes/allow-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions. diff --git a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md b/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md deleted file mode 100644 index 8c616dedff..0000000000 --- a/windows/client-management/includes/allow-fullscreen-mode-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. To use fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge. diff --git a/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md b/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md deleted file mode 100644 index 1340e13406..0000000000 --- a/windows/client-management/includes/allow-inprivate-browsing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing. diff --git a/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md b/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md deleted file mode 100644 index 35a86bfd85..0000000000 --- a/windows/client-management/includes/allow-microsoft-compatibility-list-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat. diff --git a/windows/client-management/includes/allow-prelaunch-shortdesc.md b/windows/client-management/includes/allow-prelaunch-shortdesc.md deleted file mode 100644 index a8437f2035..0000000000 --- a/windows/client-management/includes/allow-prelaunch-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching. diff --git a/windows/client-management/includes/allow-printing-shortdesc.md b/windows/client-management/includes/allow-printing-shortdesc.md deleted file mode 100644 index 288599efdd..0000000000 --- a/windows/client-management/includes/allow-printing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content. diff --git a/windows/client-management/includes/allow-saving-history-shortdesc.md b/windows/client-management/includes/allow-saving-history-shortdesc.md deleted file mode 100644 index 8f5084cda1..0000000000 --- a/windows/client-management/includes/allow-saving-history-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy doesn't stop roaming of existing browsing history or browsing history from other devices. diff --git a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md b/windows/client-management/includes/allow-search-engine-customization-shortdesc.md deleted file mode 100644 index d7acad8b8d..0000000000 --- a/windows/client-management/includes/allow-search-engine-customization-shortdesc.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can execute the following tasks in Settings: -- Add new search engines -- Change the default search engine - -With this policy, you can prevent users from customizing the search engine in the Microsoft Edge browser. diff --git a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md b/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md deleted file mode 100644 index 5774f8089e..0000000000 --- a/windows/client-management/includes/allow-sideloading-of-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but doesn't prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). diff --git a/windows/client-management/includes/allow-tab-preloading-shortdesc.md b/windows/client-management/includes/allow-tab-preloading-shortdesc.md deleted file mode 100644 index 5008070f5b..0000000000 --- a/windows/client-management/includes/allow-tab-preloading-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign-in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs. diff --git a/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md b/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md deleted file mode 100644 index 5d9a75ed5a..0000000000 --- a/windows/client-management/includes/allow-web-content-on-new-tab-page-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 11/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the default New Tab page and lets the users make changes. If you disable this policy, a blank page loads instead of the New Tab page and prevents users from changing it. diff --git a/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md b/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md deleted file mode 100644 index 2c63762356..0000000000 --- a/windows/client-management/includes/allow-windows-app-to-share-data-users-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder. diff --git a/windows/client-management/includes/always-show-books-library-shortdesc.md b/windows/client-management/includes/always-show-books-library-shortdesc.md deleted file mode 100644 index a9e0bdb003..0000000000 --- a/windows/client-management/includes/always-show-books-library-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region. diff --git a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md b/windows/client-management/includes/configure-additional-search-engines-shortdesc.md deleted file mode 100644 index 2560751600..0000000000 --- a/windows/client-management/includes/configure-additional-search-engines-shortdesc.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -The Set default search engine policy enables the users to: - -- Set a default search engine -- Configure up to five more search engines, and set any one of them as the default - -If you previously enabled this policy and now want to disable it, doing so results in deletion of all the configured search engines - diff --git a/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md b/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md deleted file mode 100644 index d409c6374c..0000000000 --- a/windows/client-management/includes/configure-adobe-flash-click-to-run-setting-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically. diff --git a/windows/client-management/includes/configure-autofill-shortdesc.md b/windows/client-management/includes/configure-autofill-shortdesc.md deleted file mode 100644 index 74af7970c6..0000000000 --- a/windows/client-management/includes/configure-autofill-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill. diff --git a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md deleted file mode 100644 index 935810a840..0000000000 --- a/windows/client-management/includes/configure-browser-telemetry-for-m365-analytics-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID. diff --git a/windows/client-management/includes/configure-cookies-shortdesc.md b/windows/client-management/includes/configure-cookies-shortdesc.md deleted file mode 100644 index eeb223000b..0000000000 --- a/windows/client-management/includes/configure-cookies-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies. diff --git a/windows/client-management/includes/configure-do-not-track-shortdesc.md b/windows/client-management/includes/configure-do-not-track-shortdesc.md deleted file mode 100644 index d69135a7e9..0000000000 --- a/windows/client-management/includes/configure-do-not-track-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge doesn't send ‘Do Not Track’ requests to websites that ask for tracking information. However, users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information. diff --git a/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md b/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md deleted file mode 100644 index f98aa94435..0000000000 --- a/windows/client-management/includes/configure-enterprise-mode-site-list-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode. diff --git a/windows/client-management/includes/configure-favorites-bar-shortdesc.md b/windows/client-management/includes/configure-favorites-bar-shortdesc.md deleted file mode 100644 index 661818a582..0000000000 --- a/windows/client-management/includes/configure-favorites-bar-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages. diff --git a/windows/client-management/includes/configure-home-button-shortdesc.md b/windows/client-management/includes/configure-home-button-shortdesc.md deleted file mode 100644 index 17d1b68784..0000000000 --- a/windows/client-management/includes/configure-home-button-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button. diff --git a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md b/windows/client-management/includes/configure-kiosk-mode-shortdesc.md deleted file mode 100644 index b16c3d18e4..0000000000 --- a/windows/client-management/includes/configure-kiosk-mode-shortdesc.md +++ /dev/null @@ -1,21 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can define a behavior for the Microsoft Edge browser, which it shall display when part of many applications running on a kiosk device. - -> [!NOTE] -> You can define the browser's behavior only if you have the assigned access privileges. - -You can also define a behavior when Microsoft Edge serves as a single application. - -You can facilitate the following functionalities in the Microsoft Edge browser: -- Execution of InPrivate full screen -- Execution of InPrivate multi-tab with a tailored experience for kiosks -- Provision for normal browsing diff --git a/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md deleted file mode 100644 index 767c933e7c..0000000000 --- a/windows/client-management/includes/configure-kiosk-reset-after-idle-timeout-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data. diff --git a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md b/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md deleted file mode 100644 index 26dc5e0d88..0000000000 --- a/windows/client-management/includes/configure-open-microsoft-edge-with-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allows users to make changes. With this policy, you can configure Microsoft Edge to load the Start page, New Tab page, or the previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy. diff --git a/windows/client-management/includes/configure-password-manager-shortdesc.md b/windows/client-management/includes/configure-password-manager-shortdesc.md deleted file mode 100644 index f0b41c5b0f..0000000000 --- a/windows/client-management/includes/configure-password-manager-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager. diff --git a/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md b/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md deleted file mode 100644 index a34c788e1e..0000000000 --- a/windows/client-management/includes/configure-pop-up-blocker-shortdesc.md +++ /dev/null @@ -1,12 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy. - diff --git a/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md b/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md deleted file mode 100644 index 71b3e06d0d..0000000000 --- a/windows/client-management/includes/configure-search-suggestions-in-address-bar-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions. diff --git a/windows/client-management/includes/configure-start-pages-shortdesc.md b/windows/client-management/includes/configure-start-pages-shortdesc.md deleted file mode 100644 index 76e4a07003..0000000000 --- a/windows/client-management/includes/configure-start-pages-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users can't make changes. diff --git a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md b/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md deleted file mode 100644 index 1682bc2ca2..0000000000 --- a/windows/client-management/includes/configure-windows-defender-smartscreen-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users can't disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off. diff --git a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md b/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md deleted file mode 100644 index 12bcdd34b8..0000000000 --- a/windows/client-management/includes/disable-lockdown-of-start-pages-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies can't be changed, and they remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start pages or any Start page configured with the Configure Start pages policy. diff --git a/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md b/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md deleted file mode 100644 index b269a7f3e3..0000000000 --- a/windows/client-management/includes/do-not-sync-browser-settings-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option. diff --git a/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md deleted file mode 100644 index 0b377e56b6..0000000000 --- a/windows/client-management/includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites. diff --git a/windows/client-management/includes/mdm-enrollment-error-codes.md b/windows/client-management/includes/mdm-enrollment-error-codes.md new file mode 100644 index 0000000000..017a48153f --- /dev/null +++ b/windows/client-management/includes/mdm-enrollment-error-codes.md @@ -0,0 +1,46 @@ +--- +author: vinaypamnani-msft +ms.author: vinpa +ms.prod: windows +ms.topic: include +ms.date: 04/06/2023 +--- + +|Code|ID|Error message| +|--- |--- |--- | +|0x80180001|"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180002|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180003|"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180004|"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180005|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180006|"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180007|"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180008|"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180009|"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS|Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000A|"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED|This device is already enrolled. You can contact your system administrator with the error code {0}.| +|0x8018000D|"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000E|"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x8018000F|"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180010|"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x80180012|"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT|There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180013|"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| +|0x80180014|"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| +|0x80180015|"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED|This feature isn't supported. Contact your system administrator with the error code {0}.| +|0x80180016|"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW|The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180017|"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE|The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.| +|0x80180018|"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE|There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.| +|0x80180019|"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID|Looks like the server isn't correctly configured. You can try to do this again or contact your system administrator with the error code {0}.| +|"rejectedTermsOfUse"|"idErrorRejectedTermsOfUse"|Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.| +|0x801c0001|"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c0002|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0003|"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR|This user isn't authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0006|"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c000B|"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED|The server being contacted isn't trusted. Contact your system administrator with the error code {0}.| +|0x801c000C|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c000E|"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED|Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.| +|0x801c000F|"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT|A reboot is required to complete device registration.| +|0x801c0010|"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR|Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.| +|0x801c0011|"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0012|"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR|There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}| +|0x801c0013|"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| +|0x801c0014|"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND|There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.| diff --git a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md b/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md deleted file mode 100644 index d5f609cfa6..0000000000 --- a/windows/client-management/includes/prevent-access-to-about-flags-page-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can access the about:flags page in Microsoft Edge that is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page. diff --git a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md deleted file mode 100644 index f6b222fde2..0000000000 --- a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s). diff --git a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md deleted file mode 100644 index d04429bef8..0000000000 --- a/windows/client-management/includes/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site. diff --git a/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md b/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md deleted file mode 100644 index c73e676517..0000000000 --- a/windows/client-management/includes/prevent-certificate-error-overrides-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings. diff --git a/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md b/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md deleted file mode 100644 index b635ee64e8..0000000000 --- a/windows/client-management/includes/prevent-changes-to-favorites-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers. diff --git a/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md deleted file mode 100644 index bba9ec1ad5..0000000000 --- a/windows/client-management/includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience. diff --git a/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md b/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md deleted file mode 100644 index c156c94126..0000000000 --- a/windows/client-management/includes/prevent-first-run-webpage-from-opening-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch. diff --git a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md b/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md deleted file mode 100644 index 4209d79579..0000000000 --- a/windows/client-management/includes/prevent-turning-off-required-extensions-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -The Microsoft Edge browser allows users to uninstall extensions, by default. When the users work with extensions that come under a policy that is enabled, they can configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any extra permissions requested by future updates of the extension get granted automatically. If - at this stage - you disable the policy, the list of extension package family names (PFNs) defined in this policy get ignored. diff --git a/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md deleted file mode 100644 index 037c535aa8..0000000000 --- a/windows/client-management/includes/prevent-users-to-turn-on-browser-syncing-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy. diff --git a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md deleted file mode 100644 index fe0bc3c307..0000000000 --- a/windows/client-management/includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows localhost IP address while making calls through usage of the WebRTC protocol. Enabling this policy hides the localhost IP addresses. diff --git a/windows/client-management/includes/provision-favorites-shortdesc.md b/windows/client-management/includes/provision-favorites-shortdesc.md deleted file mode 100644 index 6f47ca66c4..0000000000 --- a/windows/client-management/includes/provision-favorites-shortdesc.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -You can customize the Favorites list in the Microsoft Edge browser. Customization of the favorites list includes: - -- Creating a standard list - - This standard list includes: - - Folders (which you can add) - - the list of favorites that you manually add, after creating the standard list - -This customized favorite is the final version. - - diff --git a/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md b/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md deleted file mode 100644 index 3b17cd7e5f..0000000000 --- a/windows/client-management/includes/send-all-intranet-sites-to-ie-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically. diff --git a/windows/client-management/includes/set-default-search-engine-shortdesc.md b/windows/client-management/includes/set-default-search-engine-shortdesc.md deleted file mode 100644 index 958dd67138..0000000000 --- a/windows/client-management/includes/set-default-search-engine-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes. diff --git a/windows/client-management/includes/set-home-button-url-shortdesc.md b/windows/client-management/includes/set-home-button-url-shortdesc.md deleted file mode 100644 index 67e62738a6..0000000000 --- a/windows/client-management/includes/set-home-button-url-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button. diff --git a/windows/client-management/includes/set-new-tab-url-shortdesc.md b/windows/client-management/includes/set-new-tab-url-shortdesc.md deleted file mode 100644 index a909cbbdc7..0000000000 --- a/windows/client-management/includes/set-new-tab-url-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank. diff --git a/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md b/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md deleted file mode 100644 index 5fda91f3db..0000000000 --- a/windows/client-management/includes/show-message-when-opening-sites-in-ie-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both. diff --git a/windows/client-management/includes/unlock-home-button-shortdesc.md b/windows/client-management/includes/unlock-home-button-shortdesc.md deleted file mode 100644 index 722998c5bf..0000000000 --- a/windows/client-management/includes/unlock-home-button-shortdesc.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -author: dansimp -ms.author: dansimp -ms.date: 10/02/2018 -ms.reviewer: -manager: dansimp -ms.prod: edge -ms.topic: include ---- - -By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies. diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index d782edc5b3..8b288e7905 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -15,7 +15,7 @@ metadata: author: aczechowski ms.author: aaroncz manager: dougeby - ms.date: 03/28/2022 #Required; mm/dd/yyyy format. + ms.date: 04/13/2023 localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -37,9 +37,9 @@ landingContent: - text: Enterprise settings, policies, and app management url: windows-mdm-enterprise-settings.md - text: Windows Tools/Administrative Tools - url: administrative-tools-in-windows-10.md + url: client-tools/administrative-tools-in-windows.md - text: Create mandatory user profiles - url: mandatory-user-profile.md + url: client-tools/mandatory-user-profile.md - title: Device enrollment linkLists: diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md deleted file mode 100644 index 1ed28e0f9b..0000000000 --- a/windows/client-management/manage-corporate-devices.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Manage corporate devices -description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -keywords: [MDM, device management] -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/14/2021 -ms.topic: article -ms.technology: itpro-manage ---- - -# Manage corporate devices - - -**Applies to** - -- Windows 10 -- Windows 11 - -You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. - -## In this section - -| Topic | Description | -| --- | --- | -| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment | -| [Connect to remote Azure Active Directory-joined PC](connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10 (and Windows 11)](new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows Enterprise and Windows Education](group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations | - - - -## Learn more - -[How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) - -[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) - -[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) - -[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) - -Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/) - diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md deleted file mode 100644 index 0bb88c2d24..0000000000 --- a/windows/client-management/manage-settings-app-with-group-policy.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Manage the Settings app with Group Policy (Windows 10 and Windows 11) -description: Find out how to manage the Settings app with Group Policy so you can hide specific pages from users. -ms.prod: windows-client -author: vinaypamnani-msft -ms.date: 09/14/2021 -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.technology: itpro-manage ---- - -# Manage the Settings app with Group Policy - -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 - -You can now manage the pages that are shown in the Settings app by using Group Policy. When you use Group Policy to manage pages, you can hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely. -To make use of the Settings App group policies on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update. - ->[!Note] ->Each server that you want to manage access to the Settings App must be patched. - -If your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management, to centrally manage the new policies, copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](/troubleshoot/windows-client/group-policy/create-and-manage-central-store). - -This policy is available for both User and Computer depending on the version of the OS. Windows Server 2016 with KB 4457127 applied will have both User and Computer policy. Windows 10, version 1703, added Computer policy for the Settings app. Windows 10, version 1809, added User policy for the Settings app. - -Policy paths: - -**Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. - -**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**. - -![Settings page visibility policy.](images/settings-page-visibility-gp.png) - -## Configuring the Group Policy - -The Group Policy can be configured in one of two ways: specify a list of pages that are shown or specify a list of pages to hide. To do this, add either **ShowOnly:** or **Hide:** followed by a semicolon-delimited list of URIs in **Settings Page Visibility**. For a full list of URIs, see the URI scheme reference section in [Launch the Windows Settings app](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). - ->[!NOTE] -> When you specify the URI in the Settings Page Visibility textbox, don't include **ms-settings:** in the string. - -Here are some examples: - -- To show only the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **ShowOnly:Network-Proxy;Network-Ethernet**. -- To hide the Ethernet and Proxy pages, set the **Settings App Visibility** textbox to **Hide:Network-Proxy;Network-Ethernet**. \ No newline at end of file diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 37aae00014..3595276771 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -1,24 +1,25 @@ --- -title: Manage Windows 10 in your organization - transitioning to modern management -description: This article offers strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. +title: Manage Windows devices in your organization - transitioning to modern management +description: This article offers strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. ms.prod: windows-client ms.localizationpriority: medium -ms.date: 06/03/2022 +ms.date: 04/05/2023 author: vinaypamnani-msft ms.author: vinpa ms.reviewer: manager: aaroncz ms.topic: overview ms.technology: itpro-manage +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Manage Windows 10 in your organization - transitioning to modern management +# Manage Windows devices in your organization - transitioning to modern management -Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows 10 offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows 10 devices gradually, following the normal upgrade schedules used in your organization. +Use of personal devices for work, and employees working outside the office, may be changing how your organization manages devices. Certain parts of your organization might require deep, granular control over devices, while other parts might seek lighter, scenario-based management that empowers the modern workforce. Windows offers the flexibility to respond to these changing requirements, and can easily be deployed in a mixed environment. You can shift the percentage of Windows devices gradually, following the normal upgrade schedules used in your organization. -Your organization might have considered bringing in Windows 10 devices and downgrading them to an earlier version of Windows until everything is in place for a formal upgrade process. This downgrade may appear to save costs due to standardization. But, you typically save more if you don't downgrade, and immediately taking advantage of the cost reductions Windows 10 can provide. Because Windows 10 devices can be managed using the same processes and technology as other previous Windows versions, it's easy for versions to coexist. - -Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows 10 devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows 10 much faster. +Your organization can support various operating systems across a wide range of device types, and manage them through a common set of tools such as Microsoft Configuration Manager, Microsoft Intune, or other third-party products. This "managed diversity" enables you to empower your users to benefit from the productivity enhancements available on their new Windows devices (including rich touch and ink support), while still maintaining your standards for security and manageability. It can help you and your organization benefit from Windows faster. This six-minute video demonstrates how users can bring in a new retail device and be up and working with their personalized settings and a managed experience in a few minutes, without being on the corporate network. It also demonstrates how IT can apply policies and configurations to ensure device compliance. @@ -27,64 +28,58 @@ This six-minute video demonstrates how users can bring in a new retail device an > [!NOTE] > The video demonstrates the configuration process using the classic Azure portal, which is retired. Customers should use the new Azure portal. [Learn how use the new Azure portal to perform tasks that you used to do in the classic Azure portal.](/information-protection/deploy-use/migrate-portal) -This article offers guidance on strategies for deploying and managing Windows 10, including deploying Windows 10 in a mixed environment. It covers [management options](#reviewing-the-management-options-with-windows-10) plus the four stages of the device lifecycle: +This article offers guidance on strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment. It covers [management options](#reviewing-the-management-options-for-windows) plus the four stages of the device lifecycle: - [Deployment and Provisioning](#deployment-and-provisioning) - [Identity and Authentication](#identity-and-authentication) - [Configuration](#settings-and-configuration) - [Updating and Servicing](#updating-and-servicing) -## Reviewing the management options with Windows 10 +## Reviewing the management options for Windows -Windows 10 offers a range of management options, as shown in the following diagram: +Windows offers a range of management options, as shown in the following diagram: :::image type="content" source="images/windows-10-management-range-of-options.png" alt-text="Diagram of the path to modern IT." lightbox="images/windows-10-management-range-of-options.png"::: -As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, Office 365, and the Microsoft Store for Business. +As indicated in the diagram, Microsoft continues to provide support for deep manageability and security through technologies like group Policy, Active Directory, and Configuration Manager. It also delivers a "mobile-first, cloud-first" approach of simplified, modern management using cloud-based device management solutions such as Microsoft Enterprise Mobility + Security (EMS). Future Windows innovations, delivered through Windows as a Service, are complemented by cloud services like Microsoft Intune, Azure Active Directory, Azure Information Protection, and Microsoft 365. ## Deployment and provisioning -With Windows 10, you can continue to use traditional OS deployment, but you can also "manage out of the box." To transform new devices into fully configured, fully managed devices, you can: +With Windows, you can continue to use traditional OS deployment, but you can also "manage out of the box". To transform new devices into fully configured, fully managed devices, you can: -- Avoid reimaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). +- Avoid re-imaging by using dynamic provisioning, enabled by a cloud-based device management service such as [Windows Autopilot](/mem/autopilot/windows-autopilot) or [Microsoft Intune](/mem/intune/fundamentals/). - Create self-contained provisioning packages built with the Windows Configuration Designer. For more information, see [Provisioning packages for Windows](/windows/configuration/provisioning-packages/provisioning-packages). - Use traditional imaging techniques such as deploying custom images using [Configuration Manager](/mem/configmgr/core/understand/introduction). -You have multiple options for [upgrading to Windows 10](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 8.1, you can use the robust in-place upgrade process for a fast, reliable move to Windows 10 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. +You have multiple options for [upgrading to Windows 10 and Windows 11](/windows/deployment/windows-10-deployment-scenarios). For existing devices running Windows 10, you can use the robust in-place upgrade process for a fast, reliable move to Windows 11 while automatically preserving all the existing apps, data, and settings. This process usage can mean lower deployment costs, and improved productivity as end users can be immediately productive - everything is right where they left it. You can also use a traditional wipe-and-load approach if you prefer, using the same tools that you use today. ## Identity and authentication -You can use Windows 10 and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. +You can use Windows and services like [Azure Active Directory](/azure/active-directory/fundamentals/active-directory-whatis) in new ways for cloud-based identity, authentication, and management. You can offer your users the ability to **"bring your own device" (BYOD)** or to **"choose your own device" (CYOD)** from a selection you make available. At the same time, you might be managing PCs and tablets that must be domain-joined because of specific applications or resources that are used on them. You can envision user and device management as falling into these two categories: -- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows 10, your employees can self-provision their devices: +- **Corporate (CYOD) or personal (BYOD) devices used by mobile users for SaaS apps such as Office 365.** With Windows, your employees can self-provision their devices: - - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. + - For corporate devices, they can set up corporate access with [Azure AD join](/azure/active-directory/devices/overview). When you offer them Azure AD Join with automatic Intune MDM enrollment, they can bring devices into a corporate-managed state in [*one step*](https://techcommunity.microsoft.com/t5/azure-active-directory-identity/windows-10-azure-ad-and-microsoft-intune-automatic-mdm/ba-p/244067), all from the cloud. Azure AD join is also a great solution for temporary staff, partners, or other part-time employees. These accounts can be kept separate from the on-premises AD domain but still access needed corporate resources. - - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. + - Likewise, for personal devices, employees can use a new, simplified [BYOD experience](/azure/active-directory/devices/overview) to add their work account to Windows, then access work resources on the device. - **Domain joined PCs and tablets used for traditional applications and access to important resources.** These applications and resources may be traditional ones that require authentication or accessing highly sensitive or classified resources on-premises. - With Windows 10, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: + With Windows, if you have an on-premises [Active Directory](/windows-server/identity/whats-new-active-directory-domain-services) domain that's [integrated with Azure AD](/azure/active-directory/devices/hybrid-azuread-join-plan), when employee devices are joined, they automatically register with Azure AD. This registration provides: - - Single sign-on to cloud and on-premises resources from everywhere + - Single sign-on to cloud and on-premises resources from everywhere + - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) + - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device + - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) + - Windows Hello - - [Enterprise roaming of settings](/azure/active-directory/devices/enterprise-state-roaming-enable) - - - [Conditional access](/azure/active-directory/conditional-access/overview) to corporate resources based on the health or configuration of the device - - - [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification) - - - Windows Hello - - Domain joined PCs and tablets can continue to be managed with the [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. - -For more information about how Windows 10 and Azure AD optimize access to work resources across a mix of devices and scenarios, see [Using Windows 10 devices in your workplace](/azure/active-directory/devices/overview). + Domain joined PCs and tablets can continue to be managed with [Configuration Manager](/mem/configmgr/core/understand/introduction) client or group policy. As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD. @@ -92,19 +87,19 @@ As you review the roles in your organization, you can use the following generali ## Settings and configuration -Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. With Windows 10, you can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. +Your configuration requirements are defined by multiple factors, including the level of management needed, the devices and data managed, and your industry requirements. Meanwhile, employees are frequently concerned about IT applying strict policies to their personal devices, but they still want access to corporate email and documents. You can create a consistent set of configurations across PCs, tablets, and phones through the common MDM layer. -**MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. +- **MDM**: MDM gives you a way to configure settings that achieve your administrative intent without exposing every possible setting. (In contrast, group policy exposes fine-grained settings that you control individually.) One benefit of MDM is that it enables you to apply broader privacy, security, and application management settings through lighter and more efficient tools. MDM also allows you to target Internet-connected devices to manage policies without using group policy that requires on-premises domain-joined devices. This provision makes MDM the best choice for devices that are constantly on the go. -**Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level such as Internet Explorer's 1,500 configurable group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: +- **Group policy** and **Configuration Manager**: Your organization might still need to manage domain joined computers at a granular level using group policy settings. If so, group policy and Configuration Manager continue to be excellent management choices: -- Group policy is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. + - **Group policy** is the best way to granularly configure domain joined Windows PCs and tablets connected to the corporate network using Windows-based tools. Microsoft continues to add group policy settings with each new version of Windows. -- Configuration Manager remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. + - **Configuration Manager** remains the recommended solution for granular configuration with robust software deployment, Windows updates, and OS deployment. ## Updating and servicing -With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on current branch (CB) or current branch for business (CBB), devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows 10 deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). +With Windows as a Service, your IT department no longer needs to perform complex imaging (wipe-and-load) processes with each new Windows release. Whether on General Availability Channel or Long-Term Servicing Channel, devices receive the latest feature and quality updates through simple - often automatic - patching processes. For more information, see [Windows deployment scenarios](/windows/deployment/windows-10-deployment-scenarios). MDM with Intune provide tools for applying Windows updates to client computers in your organization. Configuration Manager allows rich management and tracking capabilities of these updates, including maintenance windows and automatic deployment rules. @@ -116,11 +111,11 @@ There are various steps you can take to begin the process of modernizing device **Assess the different use cases and management needs in your environment.** Are there groups of devices that could benefit from lighter, simplified management? BYOD devices, for example, are natural candidates for cloud-based management. Users or devices handling more highly regulated data might require an on-premises Active Directory domain for authentication. Configuration Manager and EMS provide you the flexibility to stage implementation of modern management scenarios while targeting different devices the way that best suits your business needs. -**Review the decision trees in this article.** With the different options in Windows 10, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. +**Review the decision trees in this article.** With the different options in Windows, plus Configuration Manager and Enterprise Mobility + Security, you have the flexibility to handle imaging, authentication, settings, and management tools for any scenario. -**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on new Windows 10 devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policy-configuration-service-provider.md). +**Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on modern Windows devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policies-in-policy-csp-supported-by-group-policy.md). -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows devices by using both Configuration Manager and Intune. For more information, see the following articles: - [Co-management for Windows devices](/mem/configmgr/comanage/overview) - [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10) @@ -130,5 +125,5 @@ There are various steps you can take to begin the process of modernizing device ## Related articles - [What is Intune?](/mem/intune/fundamentals/what-is-intune) -- [Windows 10 policy CSP](./mdm/policy-configuration-service-provider.md) -- [Windows 10 configuration service providers](./mdm/index.yml) +- [Policy CSP](./mdm/policy-configuration-service-provider.md) +- [Configuration service providers reference](./mdm/index.yml) diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm-collect-logs.md similarity index 81% rename from windows/client-management/diagnose-mdm-failures-in-windows-10.md rename to windows/client-management/mdm-collect-logs.md index 246e8babc9..d544eab6d4 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm-collect-logs.md @@ -1,6 +1,6 @@ --- -title: Diagnose MDM failures in Windows 10 -description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. +title: Collect MDM logs +description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows devices managed by an MDM server. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,31 +8,36 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/25/2018 +ms.date: 04/13/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Diagnose MDM failures in Windows 10 +# Collect MDM logs -To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. +To help diagnose enrollment or device management issues in Windows devices managed by an MDM server, you can examine the MDM logs collected from the desktop. The following sections describe the procedures for collecting MDM logs. -## Download the MDM Diagnostic Information log from Windows 10 PCs +## Download the MDM Diagnostic Information log from Windows devices 1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**. -1. Click your work or school account, then click **Info.** +1. Click your work or school account, then click **Info**. + ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png) 1. At the bottom of the **Settings** page, click **Create report**. + ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png) 1. A window opens that shows the path to the log files. Click **Export**. ![Access work or school log files.](images/diagnose-mdm-failures17.png) -1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report. +1. In File Explorer, navigate to `C:\Users\Public\Documents\MDMDiagnostics` to see the report. -## Use command to collect logs directly from Windows 10 PCs +## Use command to collect logs directly from Windows devices You can also collect the MDM Diagnostic Information logs using the following command: @@ -55,9 +60,9 @@ The zip file will have logs according to the areas that were used in the command - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. -## Collect logs directly from Windows 10 PCs +## Collect logs directly from Windows devices -Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: +MDM logs are captured in the Event Viewer in the following location: - Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider @@ -70,26 +75,26 @@ In this location, the **Admin** channel logs events by default. However, if you ### Collect admin logs 1. Right click on the **Admin** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Select **Save all events as**. +1. Choose a location and enter a filename. +1. Click **Save**. +1. Choose **Display information for these languages** and then select **English**. +1. Click **Ok**. For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. ### Collect debug logs 1. Right click on the **Debug** node. -2. Select **Save all events as**. -3. Choose a location and enter a filename. -4. Click **Save**. -5. Choose **Display information for these languages** and then select **English**. -6. Click **Ok**. +1. Select **Save all events as**. +1. Choose a location and enter a filename. +1. Click **Save**. +1. Choose **Display information for these languages** and then select **English**. +1. Click **Ok**. -You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. +You can open the log files (.evtx files) in the Event Viewer on a Windows device. -## Collect logs remotely from Windows 10 PCs +## Collect logs remotely from Windows devices When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: @@ -137,7 +142,7 @@ Example: Export the Debug logs ``` -## Collect logs remotely from Windows 10 Holographic +## Collect logs remotely from Windows Holographic For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). @@ -240,32 +245,32 @@ After the logs are collected on the device, you can retrieve the files through t For best results, ensure that the PC or VM on which you're viewing logs matches the build of the OS from which the logs were collected. 1. Open eventvwr.msc. -2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. +1. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. ![event viewer screenshot.](images/diagnose-mdm-failures9.png) -3. Navigate to the etl file that you got from the device and then open the file. -4. Click **Yes** when prompted to save it to the new log format. +1. Navigate to the etl file that you got from the device and then open the file. +1. Click **Yes** when prompted to save it to the new log format. ![event viewer prompt.](images/diagnose-mdm-failures10.png) ![diagnose mdm failures.](images/diagnose-mdm-failures11.png) -5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. +1. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. ![event viewer actions.](images/diagnose-mdm-failures12.png) -6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. +1. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. ![event filter for Device Management.](images/diagnose-mdm-failures13.png) -7. Now you're ready to start reviewing the logs. +1. Now you're ready to start reviewing the logs. ![event viewer review logs.](images/diagnose-mdm-failures14.png) ## Collect device state data -Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. +Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. ```xml diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md new file mode 100644 index 0000000000..5022ba4bf1 --- /dev/null +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -0,0 +1,121 @@ +--- +title: Diagnose MDM enrollment failures +description: Learn how to diagnose enrollment failures for Windows devices +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: vinaypamnani-msft +ms.date: 04/12/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# Diagnose MDM enrollment + +This article provides suggestions for troubleshooting device enrollment issues for MDM. + +## Verify auto-enrollment requirements and settings + +To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: + +1. Verify that the user who is going to enroll the device has a valid [Intune license](/mem/intune/fundamentals/licenses). + + :::image type="content" alt-text="Screenshot of Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: + +1. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM) with Intune. For more information, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). + + ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) + + > [!IMPORTANT] + > For bring-your-own devices (BYOD devices), the Mobile Application Management (MAM) user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled. + > + > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. + +1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). + +1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. + + You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**. + + ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png) + + Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**. + + ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png) + + This information can also be found on the Azure AD device list. + +1. Verify that the MDM discovery URL during auto-enrollment is `https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc`. + + ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png) + +1. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**. + + :::image type="content" alt-text="Screenshot of Mobility setting MDM intune." source="images/auto-enrollment-microsoft-intune-setting.png" lightbox="images/auto-enrollment-microsoft-intune-setting.png"::: + +1. When using group policy for enrollment, verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices that should be enrolled into Intune. You may contact your domain administrators to verify if the group policy has been deployed successfully. + +1. Verify that Microsoft Intune allows enrollment of Windows devices. + + :::image type="content" alt-text="Screenshot of Enrollment of Windows devices." source="images/auto-enrollment-enrollment-of-windows-devices.png" lightbox="images/auto-enrollment-enrollment-of-windows-devices.png"::: + +## Troubleshoot group policy enrollment + +Investigate the logs if you have issues even after performing all the verification steps. The first log file to investigate is the event log on the target Windows device. To collect Event Viewer logs: + +1. Open Event Viewer. + +1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-Diagnostic-Provider** > **Admin**. + + > [!TIP] + > For guidance on how to collect event logs for Intune, see [Collect MDM Event Viewer Log YouTube video](https://www.youtube.com/watch?v=U_oCe2RmQEc). + +1. Search for event ID 75, which represents a successful auto-enrollment. Here's an example screenshot that shows the auto-enrollment completed successfully: + + :::image type="content" alt-text="Screenshot of Event ID 75." source="images/auto-enrollment-troubleshooting-event-id-75.png" lightbox="images/auto-enrollment-troubleshooting-event-id-75.png"::: + +If you can't find event ID 75 in the logs, it indicates that the auto-enrollment failed. This failure can happen because of the following reasons: + +- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here's an example screenshot that shows that the auto-enrollment failed: + + :::image type="content" alt-text="Screenshot of Event ID 76." source="images/auto-enrollment-troubleshooting-event-id-76.png" lightbox="images/auto-enrollment-troubleshooting-event-id-76.png"::: + + To troubleshoot, check the error code that appears in the event. For more information, see [Troubleshooting Windows device enrollment problems in Microsoft Intune](/troubleshoot/mem/intune/troubleshoot-windows-enrollment-errors). + +- The auto-enrollment didn't trigger at all. In this case, you'll not find either event ID 75 or event ID 76. To know the reason, you must understand the internal mechanisms happening on the device as described below: + + The auto-enrollment process is triggered by a task (**Microsoft** > **Windows** > **EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM**) is successfully deployed to the target machine as shown in the following screenshot: + + :::image type="content" alt-text="Screenshot of Task scheduler." source="images/auto-enrollment-task-scheduler.png" lightbox="images/auto-enrollment-task-scheduler.png"::: + + > [!NOTE] + > This task isn't visible to standard users, run Scheduled Tasks with administrative credentials to find the task. + + This task runs every 5 minutes for the duration of one day. To confirm if the task succeeded, check the task scheduler event logs: **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from Azure Active Directory is triggered by event ID 107. + + :::image type="content" alt-text="Screenshot of Event ID 107." source="images/auto-enrollment-event-id-107.png" lightbox="images/auto-enrollment-event-id-107.png"::: + + When the task is completed, a new event ID 102 is logged. + + :::image type="content" alt-text="Screenshot of Event ID 102." source="images/auto-enrollment-event-id-102.png" lightbox="images/auto-enrollment-event-id-102.png"::: + + The task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This status-display means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It doesn't indicate the success or failure of auto-enrollment. + + If you can't see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from Azure AD is initiated, there's possibly an issue with the group policy. Immediately run the command `gpupdate /force` in a command prompt to get the group policy object applied. If this step still doesn't help, further troubleshooting on Active Directory is required. + One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen: + + :::image type="content" alt-text="Screenshot of Outdated enrollment entries." source="images/auto-enrollment-outdated-enrollment-entries.png" lightbox="images/auto-enrollment-outdated-enrollment-entries.png"::: + + By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs** > **Microsoft** > **Windows** > **Task Scheduler** > **Operational** event log file under event ID 7016. + + A resolution to this issue is to remove the registry key manually. If you don't know which registry key to remove, go for the key that displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot: + + :::image type="content" alt-text="Screenshot showing manually deleted entries." source="images/auto-enrollment-activation-verification-less-entries.png" lightbox="images/auto-enrollment-activation-verification-less-entries.png"::: + +## Error codes + +[!INCLUDE [Enrollment error codes](includes/mdm-enrollment-error-codes.md)] diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 7023a7b517..7974866d71 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,9 +1,6 @@ --- -title: MDM enrollment of Windows 10-based devices -description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: - - 'p\_phdevicemgmt.enrollment\_ui' - - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +title: MDM enrollment of Windows devices +description: Learn about mobile device management (MDM) enrollment of Windows devices to simplify access to your organization's resources. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,280 +9,208 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.collection: - - highpri - - tier2 -ms.date: 12/31/2017 +- highpri +- tier2 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# MDM enrollment of Windows 10-based devices +# MDM enrollment of Windows devices -In today’s cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources, such as apps, the corporate network, and email. +In today's cloud-first world, enterprise IT departments increasingly want to let employees use their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization's resources, such as apps, the corporate network, and email. > [!NOTE] > When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. -## Connect corporate-owned Windows 10-based devices +## Connect corporate-owned Windows devices -You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. +You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows doesn't require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. ![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png) -### Connect your device to an Active Directory domain (join a domain) - -Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain using the Settings app. - > [!NOTE] -> Mobile devices can't be connected to an Active Directory domain. - -### Out-of-box-experience - -Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: - -1. On the **Who Owns this PC?** page, select **My work or school owns it**. - - ![oobe creation of a local account](images/unifiedenrollment-rs1-2.png) - -2. Next, select **Join a domain**. - - ![select domain or azure-ad](images/unifiedenrollment-rs1-3.png) - -3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue. - - ![create pc account.](images/unifiedenrollment-rs1-4.png) - -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app. - - ![windows settings screen](images/unifiedenrollment-rs1-5.png) - -2. Next, select **Accounts**. - - ![windows settings accounts chosen](images/unifiedenrollment-rs1-6.png) - -3. Navigate to **Access work or school**. - - ![choose access work or school](images/unifiedenrollment-rs1-7.png) - -4. Select **Connect**. - - ![connect to work or to school](images/unifiedenrollment-rs1-8.png) - -5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**. - - ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png) - -6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials. - - ![type in domain name.](images/unifiedenrollment-rs1-10.png) - -### Help with connecting to an Active Directory domain - -There are a few instances where your device can't be connected to an Active Directory domain. - -| Connection issue | Description | -|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Your device is already connected to an Active Directory domain. | Your device can only be connected to a single Active Directory domain at a time. | -| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - - +> For devices joined to on-premises Active Directory, see [Group policy enrollment](enroll-a-windows-10-device-automatically-using-group-policy.md). ### Connect your device to an Azure AD domain (join Azure AD) All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. -### Out-of-box-experience +#### Out-of-box-experience To join a domain: -1. Select **My work or school owns it**, then select **Next.** +1. Select **My work or school owns it**, then select **Next.** ![oobe - local account creation](images/unifiedenrollment-rs1-11.png) -2. Select **Join Azure AD**, and then select **Next.** +1. Select **Join Azure AD**, and then select **Next.** ![choose the domain or azure ad](images/unifiedenrollment-rs1-12.png) -3. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. +1. Type in your Azure AD username. This username is the email address you use to log into Microsoft Office 365 and similar services. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page will change to show the organization's custom branding, and you'll be able to enter your password directly on this page. If the tenant is part of a federated domain, you'll be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). After you complete the flow, your device will be connected to your organization's Azure AD domain. ![azure ad signin.](images/unifiedenrollment-rs1-13.png) -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app. - - ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) - -2. Next, navigate to **Accounts**. - - ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) - -3. Navigate to **Access work or school**. - - ![choose option of access work or school](images/unifiedenrollment-rs1-16.png) - -4. Select **Connect**. - - ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) - -5. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. - - ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) - -6. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - - ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) - -7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - - After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. - - ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) - -### Help with connecting to an Azure AD domain - -There are a few instances where your device can't be connected to an Azure AD domain. - -| Connection issue | Description | -|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | -| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | -| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | -| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | -| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | -| Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - - - -## Connect personally owned devices - - -Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. - -### Connect to a work or school account - -All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. - -### Use the Settings app - -To create a local account and connect the device: - -1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. - - ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) - -2. Navigate to **Access work or school**. - - ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) - -3. Select **Connect**. - - ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) - -4. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - - ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) - -5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. - - If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. - - Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up. - - ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) - -6. After you complete the flow, your Microsoft account will be connected to your work or school account. - - ![account successfully added.](images/unifiedenrollment-rs1-27.png) - -### Connect to MDM on a desktop (enrolling in device management) - -All Windows 10-based devices can be connected to MDM. You can connect to an MDM through the Settings app. - -### Use the Settings app +#### Use the Settings app To create a local account and connect the device: 1. Launch the Settings app. - ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) + ![screen displaying windows settings](images/unifiedenrollment-rs1-14.png) -2. Next, navigate to **Accounts**. +1. Next, navigate to **Accounts**. - ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + ![choose windows settings accounts](images/unifiedenrollment-rs1-15.png) -3. Navigate to **Access work or school**. +1. Navigate to **Access work or school**. - ![access work or school.](images/unifiedenrollment-rs1-30.png) + ![choose option of access work or school](images/unifiedenrollment-rs1-16.png) -4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link). +1. Select **Connect**. - ![connect to work or school screen](images/unifiedenrollment-rs1-31.png) + ![Option of connect to work or school](images/unifiedenrollment-rs1-17.png) -5. Type in your work email address. +1. Under **Alternate Actions**, select **Join this device to Azure Active Directory**. - ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) + ![option to join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) -6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. +1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. + ![azure ad sign in.](images/unifiedenrollment-rs1-19.png) - ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) + If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. - After you complete the flow, your device will be connected to your organization’s MDM. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to connect your device to MDM. + + After you reach the end of the flow, your device should be connected to your organization's Azure AD domain. You may now sign out of your current account and sign in using your Azure AD username. + + ![corporate sign in screen](images/unifiedenrollment-rs1-20.png) + +#### Help with connecting to an Azure AD domain + +There are a few instances where your device can't be connected to an Azure AD domain. + +| Connection issue | Description | +|--|--| +| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You can't connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You can't connect to both simultaneously. | +| You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You'll need to switch to an administrator account to continue. | +| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | +| Your device is running Home edition. | This feature isn't available on Windows Home edition, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Pro, Enterprise, or Education edition to continue. | + +## Connect personally owned devices + +Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows devices don't require a personal Microsoft account on devices to connect to work or school. + +All Windows devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps, such as the universal Office apps. + +### Register device in AAD and enroll in MDM + +To create a local account and connect the device: + +1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**. + + ![screen of windows settings](images/unifiedenrollment-rs1-21-b.png) + +1. Navigate to **Access work or school**. + + ![user's option of access work or school](images/unifiedenrollment-rs1-23-b.png) + +1. Select **Connect**. + + ![connect button to access the option of work or school.](images/unifiedenrollment-rs1-24-b.png) + +1. Type in your Azure AD username. This username is the email address you use to log into Office 365 and similar services. + + ![sync work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png) + +1. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you're redirected to the organization's on-premises federation server, such as AD FS, for authentication. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). + + You'll see the status page that shows the progress of your device being set up. + + ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) + +1. After you complete the flow, your Microsoft account will be connected to your work or school account. + + ![account successfully added.](images/unifiedenrollment-rs1-27.png) ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. -| Error Message | Description | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| -| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | -| We couldn't find your identity in your organization’s cloud. | The username you entered wasn't found on your Azure AD tenant. | -| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | -| You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | -| We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +| Error Message | Description | +|--|--| +| Your device is already connected to your organization's cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | +| We couldn't find your identity in your organization's cloud. | The username you entered wasn't found on your Azure AD tenant. | +| Your device is already being managed by an organization. | Your device is either already managed by MDM or Microsoft Configuration Manager. | +| You don't have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | +| We couldn't auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | +## Enroll in device management only -## Connect your Windows 10-based device to work using a deep link +All Windows devices can be connected to MDM. You can connect to an MDM through the Settings app. To create a local account and connect the device: +1. Launch the Settings app. -Windows 10-based devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows 10, and be directed to the new enrollment experience. + ![screen that displays windows settings](images/unifiedenrollment-rs1-28.png) -In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory. +1. Next, navigate to **Accounts**. + + ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png) + +1. Navigate to **Access work or school**. + + ![access work or school.](images/unifiedenrollment-rs1-30.png) + +1. Select the **Enroll only in device management** link. + + ![connect to work or school screen](images/unifiedenrollment-rs1-31.png) + +1. Type in your work email address. + + ![set up work or school account screen](images/unifiedenrollment-rs1-32.png) + +1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. You'll see the enrollment progress on screen. + + ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) + + After you complete the flow, your device will be connected to your organization's MDM. + +## Connect your Windows device to work using a deep link + +Windows devices may be connected to work using a deep link. Users will be able to select or open a link in a particular format from anywhere in Windows, and be directed to the new enrollment experience. The deep link used for connecting your device to work will always use the following format. -**ms-device-enrollment:?mode={mode\_name}** +**ms-device-enrollment:?mode={mode\_name}**: -| Parameter | Description | Supported Value for Windows 10| -|-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | -|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | -| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| -| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | -| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | -| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | -| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | - -> [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +| Parameter | Description | Supported Value for Windows | +|--|--|--| +| mode | Describes which mode will be executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | +| username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string | +| servername | Specifies the MDM server URL that will be used to enroll the device. | string | +| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string | +| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. | GUID | +| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. | GUID or string | +| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | ### Connect to MDM using a deep link @@ -297,9 +222,9 @@ The deep link used for connecting your device to work will always use the follow To connect your devices to MDM using deep links: -1. Starting with Windows 10, version 1607, create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: +1. Create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm**, and user-friendly display text, such as **Click here to connect Windows to work**: - (This link will launch the flow equivalent to the Enroll into the device management option in Windows 10, version 1511.) + (This link will launch the flow equivalent to the Enroll into the device management option.) - IT admins can add this link to a welcome email that users can select to enroll into MDM. @@ -310,13 +235,13 @@ To connect your devices to MDM using deep links: - IT admins can also add this link to an internal web page that users refer to enrollment instructions. -2. After you select the link or run it, Windows 10 launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511). +1. After you select the link or run it, Windows launches the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option). Type in your work email address. ![set up a work or school account screen](images/deeplinkenrollment3.png) -3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. +1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. After you complete the flow, your device will be connected to your organization's MDM. @@ -324,7 +249,6 @@ To connect your devices to MDM using deep links: ## Manage connections - To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection. ![managing work or school account.](images/unifiedenrollment-rs1-34-b.png) @@ -333,41 +257,30 @@ To manage your work or school connections, select **Settings** > **Accounts** > The **Info** button can be found on work or school connections involving MDM. This button is included in the following scenarios: -- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. -- Connecting your device to a work or school account that has auto-enroll into MDM configured. -- Connecting your device to MDM. +- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. +- Connecting your device to a work or school account that has auto-enroll into MDM configured. +- Connecting your device to MDM. -Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. +Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. +Selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) -> [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. - ### Disconnect The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: -- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. -- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. +- Devices that enforce the AllowManualMDMUnenrollment policy won't allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- On mobile devices, you can't disconnect from Azure AD. These connections can only be removed by wiping the device. > [!WARNING] > Disconnecting might result in the loss of data on the device. ## Collecting diagnostic logs - You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report, as shown here. - -![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - - - - - - +You can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report. +For more information, see [Collect MDM logs](mdm-collect-logs.md). diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md new file mode 100644 index 0000000000..8c3dc27e89 --- /dev/null +++ b/windows/client-management/mdm-known-issues.md @@ -0,0 +1,244 @@ +--- +title: Known issues in MDM +description: Learn about known issues for Windows devices in MDM +ms.reviewer: +manager: aaroncz +ms.author: vinpa +ms.topic: article +ms.prod: windows-client +ms.technology: itpro-manage +author: vinaypamnani-msft +ms.date: 04/12/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +--- + +# Known issues + +## Get command inside an atomic command isn't supported + +A Get command inside an atomic command isn't supported. + +## Apps installed using WMI classes are not removed + +Applications installed using WMI classes aren't removed when the MDM account is removed from device. + +## Passing CDATA in SyncML does not work + +Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work. + +## SSL settings in IIS server for SCEP must be set to "Ignore" + +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore". + +:::image type="content" source="images/ssl-settings.png" alt-text="Screenshot of SSL settings in IIS."::: + +## MDM enrollment fails on the Windows device when traffic is going through proxy + +When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. + +## Server-initiated unenrollment failure + +Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. + +Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. + +## Certificates causing issues with Wi-Fi and VPN + +When using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. + +## Version information for Windows 11 + +The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. + +## Multiple certificates might cause Wi-Fi connection instabilities + +In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. + +Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: + +- The user may be prompted to select the certificate. +- The wrong certificate may get auto selected and cause an authentication failure. + +A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. + +EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: + +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM's guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. + +For information about EAP Settings, see . + +For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md). + +For more information about extended key usage, see . + +For information about adding extended key usage (EKU) to a certificate, see . + +The following list describes the prerequisites for a certificate to be used with EAP: + +- The certificate must have at least one of the following EKU (Extended Key Usage) properties: + - Client Authentication. + - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. + - Any Purpose. + - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. + - All Purpose. + - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. +- The user or the computer certificate on the client chains to a trusted root CA. +- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. +- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. +- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. + +The following XML sample explains the properties for the EAP TLS XML including certificate filtering. + +> [!NOTE] +> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. + +```xml + + + 13 + + + 0 + 0 + 0 + + + + + + + 13 + + + + + true + + + + + + + false + + + false + false + false + + + + + + ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + + + + + + + + + + + ContostoITEKU + + 1.3.6.1.4.1.311.42.1.15 + + + + + + + + + ContostoITEKU + + + + + Example1 + + + true + + + + + + + + + + + +``` + +> [!NOTE] +> The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** + +Alternatively you can use the following procedure to create an EAP Configuration XML. + +1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). + +1. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). + + :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: + + > [!NOTE] + > For PEAP or TTLS, select the appropriate method and continue following this procedure. + +1. Click the **Properties** button underneath the drop-down menu. + +1. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. + + :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: + +1. In the **Configure Certificate Selection** menu, adjust the filters as needed. + + :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: + +1. Click **OK** to close the windows to get back to the main `rasphone.exe` dialog box. + +1. Close the rasphone dialog box. + +1. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. + +> [!NOTE] +> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). + +## MDM client will immediately check in with the MDM server after client renews WNS channel URI + +After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. + +## User provisioning failure in Azure Active Directory-joined devices + +For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. + +## Requirements to note for VPN certificates also used for Kerberos Authentication + +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. + +## Device management agent for the push-button reset is not working + +The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index fd9f4c2321..ecc058a048 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -1,7 +1,7 @@ --- title: Mobile Device Management overview -description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -ms.date: 08/04/2022 +description: Windows provides an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. +ms.date: 04/05/2023 ms.technology: itpro-manage ms.topic: article ms.prod: windows-client @@ -9,29 +9,37 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 ms.collection: - - highpri - - tier2 +- highpri +- tier2 --- # Mobile Device Management overview -Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. +Windows provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. There are two parts to the Windows management component: -- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. +- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. For more information, see [Enrollment overview](mobile-device-enrollment.md). - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers don't need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). +Third-party MDM servers can manage Windows devices using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows. + +For details about the MDM protocols, see + +- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692) +- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) ## MDM security baseline -With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. +Microsoft provides MDM security baselines that function like the Microsoft group policy security baseline. You can easily integrate this baseline into any MDM solution to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. The MDM security baseline includes policies that cover the following areas: -- Microsoft inbox security technology (not deprecated) such as BitLocker, Windows Defender SmartScreen, and Device Guard (virtual-based security), Exploit Guard, Microsoft Defender Antivirus, and Firewall +- Microsoft inbox security technologies (not deprecated) such as BitLocker, Windows Defender SmartScreen, Exploit Guard, Microsoft Defender Antivirus, and Firewall - Restricting remote access to devices - Setting credential requirements for passwords and PINs - Restricting use of legacy technology @@ -48,26 +56,22 @@ For more information about the MDM policies defined in the MDM security baseline For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). -## Learn about device enrollment +## Frequently Asked Questions -- [Mobile device enrollment](mobile-device-enrollment.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +### Can there be more than one MDM server to enroll and manage devices in Windows? -## Learn about device management +No. Only one MDM is allowed. -- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) -- [Enterprise app management](enterprise-app-management.md) -- [Mobile device management (MDM) for device updates](device-update-management.md) -- [OMA DM protocol support](oma-dm-protocol-support.md) -- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) -- [Server requirements for OMA DM](server-requirements-windows-mdm.md) -- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) +### How do I set the maximum number of Azure Active Directory-joined devices per user? -## Learn about configuration service providers +1. Sign in to the portal as tenant admin: . +1. Navigate to **Azure AD**, then **Devices**, and then click **Device Settings**. +1. Change the number under **Maximum number of devices per user**. -- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) -- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) -- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) -- [Configuration service provider reference](mdm/index.yml) +### What is dmwappushsvc? + +| Entry | Description | +| --------------- | -------------------- | +| What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +| What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. | +| How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail. | diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index c79bf9d6b9..9863ad1ccf 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -2,12 +2,12 @@ title: AccountManagement CSP description: Learn about the AccountManagement CSP, which is used to configure settings in the Account Manager service. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/accountmanagement-ddf.md b/windows/client-management/mdm/accountmanagement-ddf.md index f621db9654..c6ec83beff 100644 --- a/windows/client-management/mdm/accountmanagement-ddf.md +++ b/windows/client-management/mdm/accountmanagement-ddf.md @@ -2,12 +2,12 @@ title: AccountManagement DDF file description: View the OMA DM device description framework (DDF) for the AccountManagement configuration service provider. This file is used to configure settings. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 0bacf6f8d2..9e3a505d95 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -2,12 +2,12 @@ title: Accounts CSP description: The Accounts configuration service provider (CSP) is used by the enterprise to rename devices, and create local Windows accounts & join them to a group. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/27/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md index afd14959c5..330218b819 100644 --- a/windows/client-management/mdm/accounts-ddf-file.md +++ b/windows/client-management/mdm/accounts-ddf-file.md @@ -2,12 +2,12 @@ title: Accounts DDF file description: View the XML file containing the device description framework (DDF) for the Accounts configuration service provider. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 04/17/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md index d123dc8037..c87f85294d 100644 --- a/windows/client-management/mdm/alljoynmanagement-csp.md +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -1,10 +1,10 @@ --- title: AllJoynManagement CSP description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index f5a886a028..32030275e8 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -1,10 +1,10 @@ --- title: AllJoynManagement DDF description: Learn the OMA DM device description framework (DDF) for the AllJoynManagement configuration service provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md index 03d9b18055..c53a080791 100644 --- a/windows/client-management/mdm/application-csp.md +++ b/windows/client-management/mdm/application-csp.md @@ -1,10 +1,10 @@ --- title: APPLICATION CSP description: Learn how the APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index 5042ee9974..59a54a27da 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -95,49 +95,41 @@ In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. Th For more examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples). -
-
- Get Configuration +- Get Configuration -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - - - - -``` + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + + + + + ``` -
+- Delete Configuration -
-
- Delete Configuration - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/Configuration - - - - - - -``` - -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/Configuration + + + + + + + ``` @@ -201,101 +193,85 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu **Examples**: -
-
- Add KioskModeApp +- Add KioskModeApp -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - chr - - {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} - - - - - -``` + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} + + + + + + ``` -
+- Delete KioskModeApp -
-
- Delete KioskModeApp + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + + ``` -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - - - - -``` +- Get KioskModeApp -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + + ``` -
-
- Get KioskModeApp +- Replace KioskModeApp -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - - - - -``` - -
- -
-
- Replace KioskModeApp - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp - - - chr - - {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} - - - - - -``` - -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} + + + + + + ``` @@ -351,412 +327,387 @@ For more information, see [Shell Launcher](/windows/configuration/kiosk-shelllau > [!NOTE] > Shell Launcher V2 uses a separate XSD and namespace for backward compatibility. The original V1 XSD has a reference to the V2 XSD. -
-
- Shell Launcher V1 XSD +- Shell Launcher V1 XSD -```xml - - + ```xml + + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - - - - - - - - - - - - - - - - - - - - + + + + + - - -``` -
+ + + + + -
-
- Shell Launcher V2 XSD + + + + + + + + -```xml - - + + + + + + + + + + + + + + - - - - - - - - + + + - + + + + + + + + - -``` + + + + + + + -

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Shell Launcher V2 XSD + + ```xml + + + + + + + + + + + + + + + + ``` **Examples**: -
-
- Add +- Add -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - -``` + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + ``` -
+- Add AutoLogon -
-
- Add AutoLogon + This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed. -This function creates an auto-logon account on your behalf. It's a standard user with no password. The auto-logon account is managed by AssignedAccessCSP, so the account name isn't exposed. + > [!NOTE] + > The auto-logon function is designed to be used after OOBE with provisioning packages. -> [!NOTE] -> The auto-logon function is designed to be used after OOBE with provisioning packages. + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + ``` -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - -``` +- V2 Add -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + chr + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + ``` -
-
- V2 Add +- Get -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - chr - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - -``` - -
- -
-
- Get - -```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher - - - - - - -``` - -
+ ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/ShellLauncher + + + + + + + ``` @@ -814,10 +765,6 @@ Additionally, the Status payload includes the following fields: **AssignedAccessAlert XSD**: -
-
- Expand this section to see the schema XML - ```xml ``` -

- **Example**: ```xml @@ -954,10 +899,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat **StatusConfiguration XSD**: -
-
- Expand this section to see the schema XML - ```xml ``` -

- **Examples**: -
-
- Add StatusConfiguration with StatusEnabled set to OnWithAlerts +- Add StatusConfiguration with StatusEnabled set to OnWithAlerts - ```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - OnWithAlerts - - ]]> - - - - - - - ``` - -
- -
-
- Delete StatusConfiguration - - ```xml - + ```xml + - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + OnWithAlerts + + ]]> + + + + - - ``` + + ``` -
+- Delete StatusConfiguration -
-
- Get StatusConfiguration + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + + ``` - ```xml - +- Get StatusConfiguration + + ```xml + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + + + + + ``` + +- Replace StatusEnabled value with On + + ```xml + - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - - + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration + + + chr + + + + + On + + ]]> + + + + - - ``` - -
- -
-
- Replace StatusEnabled value with On - - ```xml - - - - 2 - - - ./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration - - - chr - - - - - On - - ]]> - - - - - - - ``` - -
+ + ``` @@ -1108,322 +1031,306 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat ## AssignedAccessConfiguration XSD -
-
- Schema for AssignedAccessConfiguration. +- Schema for AssignedAccessConfiguration. -```xml - - + ```xml + + - - - + + + - - - - - - - - - - - - - - - - - - - - - - - + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -); -``` -
+ + + + -
-
- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization. + + + + -```xml - - + + + + + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - -``` - -
- -
-
- Schema for new features introduced in Windows 10 1809 release. - -```xml - - - - - - - - - - + + + + + + + + + + + + - - - + - - - + + + + + + + + + + - - - - - + + + + + - + + + + - + + + - + + + - + + + + + - -``` + + + + + + -
+ + + + + + + + + + + -
-
- Schema for Windows 10 prerelease. + + + + -```xml - - + + + + - - - - - + + + - - - + + + + + + + - - - + + + + + + - -``` + + + + + -
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ); + ``` + +- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization. + + ```xml + + + + + + + + + + + + + + ``` + +- Schema for new features introduced in Windows 10 1809 release. + + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Schema for Windows 10 prerelease. + + ```xml + + + + + + + + + + + + + + + + + + + ``` ## AssignedAccessConfiguration examples @@ -1444,118 +1351,108 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat > > ``` -
-
- Example XML configuration for a multi-app kiosk for Windows 10. +- Example XML configuration for a multi-app kiosk for Windows 10. -```xml - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ]]> - - - - - - - MultiAppKioskUser - - - - -``` + ```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ]]> + + + + + + + MultiAppKioskUser + + + + + ``` -
+- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. -
-
- Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode. + ```xml + + + + + + + + + + EdgeKioskUser + + + + + ``` -```xml - - - - - - - - - - EdgeKioskUser - - - - -``` +- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. -
+ > [!NOTE] + > **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. -
-
- Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk. - -> [!NOTE] -> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk. - -```xml - - - - - - - - - - - EdgeKioskUser - - - - -``` + ```xml + + + + + + + + + + + EdgeKioskUser + + + + + ```
@@ -1563,10 +1460,6 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](/hololens/hololens-provisioning). -
-
- Expand this section to see the example. - ```xml diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index b34bc4709f..16889b4db0 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -21,6 +21,9 @@ ms.topic: reference > > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro. @@ -40,6 +43,7 @@ The following list shows the BitLocker configuration service provider nodes: - ./Device/Vendor/MSFT/BitLocker - [AllowStandardUserEncryption](#allowstandarduserencryption) + - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection) - [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) - [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation) - [EncryptionMethodByDriveType](#encryptionmethodbydrivetype) @@ -149,6 +153,63 @@ To disable this policy, use the following SyncML: + +## AllowSuspensionOfBitLockerProtection + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection +``` + + + + +This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + +> [!WARNING] +> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + +The expected values for this policy are: + +0 = Prevent BitLocker Drive Encryption protection from being suspended. +1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Prevent BitLocker Drive Encryption protection from being suspended. | +| 1 (Default) | This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. | + + + + + + + + ## AllowWarningForOtherDiskEncryption diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index 206cf3acd1..a5b1dd75f5 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -772,6 +772,52 @@ Supported Values: String form of request ID. Example format of request ID is GUI + + AllowSuspensionOfBitLockerProtection + + + + + + + + 1 + This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled. + Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally. + The format is integer. + The expected values for this policy are: + + 0 = Prevent BitLocker Drive Encryption protection from being suspended. + 1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + + + + + + + + + + + + 99.9.99999 + 9.9 + + + + 0 + Prevent BitLocker Drive Encryption protection from being suspended. + + + 1 + This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection. + + + + Status diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md index f64cf2be86..629021dd17 100644 --- a/windows/client-management/mdm/cellularsettings-csp.md +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -1,10 +1,10 @@ --- title: CellularSettings CSP description: Learn how the CellularSettings configuration service provider is used to configure cellular settings on a mobile device. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md index 4252fc2469..a1b634ff45 100644 --- a/windows/client-management/mdm/cleanpc-csp.md +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -2,12 +2,12 @@ title: CleanPC CSP description: The CleanPC configuration service provider (CSP) allows you to remove user-installed and pre-installed applications, with the option to persist user data. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md index b9905656b8..1bc37c5325 100644 --- a/windows/client-management/mdm/cleanpc-ddf.md +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -1,10 +1,10 @@ --- title: CleanPC DDF description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index bc1967ab1b..1997c7878c 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -1,10 +1,10 @@ --- title: CM\_CellularEntries CSP description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index e8cd768732..caf0856091 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -1,10 +1,10 @@ --- title: CMPolicy CSP description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 55ae5b8083..72db3fe0f1 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -1,10 +1,10 @@ --- title: CMPolicyEnterprise CSP description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md index 35f1e9f495..15d65b1bc8 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -1,10 +1,10 @@ --- title: CMPolicyEnterprise DDF file description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index c8fad72461..121ac1c046 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -4,7 +4,7 @@ description: Learn more about the OMA DM device description framework (DDF) for ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md index 80f903585c..578d4aa804 100644 --- a/windows/client-management/mdm/configuration-service-provider-support.md +++ b/windows/client-management/mdm/configuration-service-provider-support.md @@ -4,7 +4,7 @@ description: Learn more about configuration service provider (CSP) supported sce ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 1731f78223..7e206209d2 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -1,10 +1,10 @@ --- title: CustomDeviceUI CSP description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md index 1c2b2eb1e0..78d4037e82 100644 --- a/windows/client-management/mdm/customdeviceui-ddf.md +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -1,10 +1,10 @@ --- title: CustomDeviceUI DDF description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index fe160a4fe0..9ec146c353 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Defender CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -18,6 +18,8 @@ ms.topic: reference +> [!NOTE] +> [ControlPolicyConflict (MDMWinsOverGP)](policy-csp-controlpolicyconflict.md) is not applicable to the Defender CSP. If using MDM, remove your current Defender group policy settings to avoid conflicts with your MDM settings. @@ -61,6 +63,7 @@ The following list shows the Defender configuration service provider nodes: - [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers) - [IntelTDTEnabled](#configurationinteltdtenabled) - [MeteredConnectionUpdates](#configurationmeteredconnectionupdates) + - [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate) - [PassiveRemediation](#configurationpassiveremediation) - [PlatformUpdatesChannel](#configurationplatformupdateschannel) - [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes) @@ -1806,6 +1809,55 @@ Allow managed devices to update through metered connections. Default is 0 - not + +### Configuration/OobeEnableRtpAndSigUpdate + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Device/Vendor/MSFT/Defender/Configuration/OobeEnableRtpAndSigUpdate +``` + + + + +This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 1 | If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. | +| 0 (Default) | If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. | + + + + + + + + ### Configuration/PassiveRemediation diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 4a653a572d..09e0cb692e 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1920,6 +1920,45 @@ The following XML file contains the device description framework (DDF) for the D + + OobeEnableRtpAndSigUpdate + + + + + + + + 0 + This setting allows you to configure whether real-time protection and Security Intelligence Updates are enabled during OOBE (Out of Box experience). + + + + + + + + + + + + + + 10.0.14393 + 1.3 + + + + 1 + If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE. + + + 0 + If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled. + + + + ThrottleForScheduledScanOnly diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 56d85eb234..55b326e83b 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -1,10 +1,10 @@ --- title: DeveloperSetup CSP description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md index 5194793e17..daa6a0b7f9 100644 --- a/windows/client-management/mdm/developersetup-ddf.md +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -1,10 +1,10 @@ --- title: DeveloperSetup DDF file description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index b10bd93a62..ab39986c26 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -1,10 +1,10 @@ --- title: DeviceLock CSP description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md index a7baeea8fe..03f27aef68 100644 --- a/windows/client-management/mdm/devicelock-ddf-file.md +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -1,10 +1,10 @@ --- title: DeviceLock DDF file description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md index e32d2c6c9a..a6be4ec54b 100644 --- a/windows/client-management/mdm/devicepreparation-csp.md +++ b/windows/client-management/mdm/devicepreparation-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,6 +31,7 @@ The following list shows the DevicePreparation configuration service provider no - [ClassID](#bootstrapperagentclassid) - [ExecutionContext](#bootstrapperagentexecutioncontext) - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri) + - [MdmAgentInstalled](#mdmagentinstalled) - [MDMProvider](#mdmprovider) - [Progress](#mdmproviderprogress) - [PageEnabled](#pageenabled) @@ -194,6 +195,46 @@ This node holds a URI that can be queried for the status of the Bootstrapper Age + +## MdmAgentInstalled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled +``` + + + + +This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Get, Replace | +| Default Value | false | + + + + + + + + ## MDMProvider diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index c2a8a4aa4e..9d1713e298 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -286,6 +286,29 @@ The following XML file contains the device description framework (DDF) for the D + + MdmAgentInstalled + + + + + + false + This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event. + + + + + + + + + + + + + + ``` diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 34dbe6281b..19f240cd0e 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -498,7 +498,7 @@ For each channel node, the user can: - Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel. - Specify an XPath query to filter events while exporting the channel event data. -For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](../diagnose-mdm-failures-in-windows-10.md). +For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Collect MDM logs](../mdm-collect-logs.md). diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index bdae4f4a67..ff2a647808 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,9 @@ ms.topic: reference # DMClient CSP +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment. @@ -37,6 +40,10 @@ The following list shows the DMClient configuration service provider nodes: - [Lock](#deviceproviderprovideridconfiglocklock) - [SecureCore](#deviceproviderprovideridconfiglocksecurecore) - [UnlockDuration](#deviceproviderprovideridconfiglockunlockduration) + - [ConfigRefresh](#deviceproviderprovideridconfigrefresh) + - [Cadence](#deviceproviderprovideridconfigrefreshcadence) + - [Enabled](#deviceproviderprovideridconfigrefreshenabled) + - [PausePeriod](#deviceproviderprovideridconfigrefreshpauseperiod) - [CustomEnrollmentCompletePage](#deviceproviderprovideridcustomenrollmentcompletepage) - [BodyText](#deviceproviderprovideridcustomenrollmentcompletepagebodytext) - [HyperlinkHref](#deviceproviderprovideridcustomenrollmentcompletepagehyperlinkhref) @@ -624,6 +631,176 @@ This node, when it is set, tells the client to set how many minutes the device s + +#### Device/Provider/{ProviderID}/ConfigRefresh + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh +``` + + + + +Parent node for ConfigRefresh nodes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | node | +| Access Type | Add, Delete, Get | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Cadence + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Cadence +``` + + + + +This node determines the number of minutes between refreshes. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[30-1440]` | +| Default Value | 90 | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/Enabled + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/Enabled +``` + + + + +This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | bool | +| Access Type | Add, Delete, Get, Replace | +| Default Value | false | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| true | ConfigRefresh is enabled. | +| false (Default) | ConfigRefresh is disabled. | + + + + + + + + + +##### Device/Provider/{ProviderID}/ConfigRefresh/PausePeriod + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/DMClient/Provider/{ProviderID}/ConfigRefresh/PausePeriod +``` + + + + +This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | Range: `[0-1440]` | +| Default Value | 0 | + + + + + + + + #### Device/Provider/{ProviderID}/CustomEnrollmentCompletePage diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index b5ef6feff0..4de7f3bf11 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2947,6 +2947,125 @@ The following XML file contains the device description framework (DDF) for the D + + ConfigRefresh + + + + + + + Parent node for ConfigRefresh nodes + + + + + + + + + + + + + + 99.9.99999 + 1.6 + + + + Enabled + + + + + + + + false + This node determines whether or not a periodic settings refresh for MDM policies will occur. + + + + + + + + + + + + + + + true + ConfigRefresh is enabled. + + + false + ConfigRefresh is disabled. + + + LastWrite + + + + Cadence + + + + + + + + 90 + This node determines the number of minutes between refreshes. + + + + + + + + + + + + + + [30-1440] + + + + + PausePeriod + + + + + + + + 0 + This node determines the number of minutes ConfigRefresh should be paused for. + + + + + + + + + + + + + + [0-1440] + + + + diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index b7d129f30a..cb1f8535c4 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -2,12 +2,12 @@ title: DMSessionActions CSP description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md index bbf9287698..3fd2404a22 100644 --- a/windows/client-management/mdm/dmsessionactions-ddf.md +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -2,12 +2,12 @@ title: DMSessionActions DDF file description: Learn about the OMA DM device description framework (DDF) for the DMSessionActions configuration service provider (CSP). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 12/05/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 5a0260cdc0..bf39a0e3fd 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -2,7 +2,7 @@ title: DynamicManagement CSP description: Learn how the Dynamic Management configuration service provider (CSP) enables configuration of policies that change how the device is managed. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md index e4b4235d51..a5456ee32d 100644 --- a/windows/client-management/mdm/dynamicmanagement-ddf.md +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -1,10 +1,10 @@ --- title: DynamicManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 7f96c29f4f..9b4bb74c16 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -4,7 +4,7 @@ description: Learn how to create an Extensible Authentication Protocol (EAP) con ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md index a7cf76b52f..35513a778a 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp-ddf.md @@ -2,7 +2,7 @@ title: EnrollmentStatusTracking DDF description: View the OMA DM DDF for the EnrollmentStatusTracking configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 01d414693b..d3c9c60797 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -2,7 +2,7 @@ title: EnrollmentStatusTracking CSP description: Learn how to execute a hybrid certificate trust deployment of Windows Hello for Business, for systems with no previous installations. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index abbf2c055b..2c93f02a94 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -1,10 +1,10 @@ --- title: EnterpriseAPN CSP description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md index df2d42aa34..665a9234c3 100644 --- a/windows/client-management/mdm/enterpriseapn-ddf.md +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -1,10 +1,10 @@ --- title: EnterpriseAPN DDF description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index f283d78393..c6ad92193c 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -2,12 +2,12 @@ title: EnterpriseAppVManagement CSP description: Examine the tree format for EnterpriseAppVManagement CSP to manage virtual applications in Windows 10 or Windows 11 PCs. (Enterprise and Education editions). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md index 95e991df6b..fa2e075e71 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -2,12 +2,12 @@ title: EnterpriseAppVManagement DDF file description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAppVManagement configuration service provider (CSP). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 12/05/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 3a3a87afe4..a6c2a4662b 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -2,10 +2,10 @@ title: EnterpriseDataProtection CSP description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings. ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md index cde4878163..73469ecfa7 100644 --- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -1,10 +1,10 @@ --- title: EnterpriseDataProtection DDF file description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 726ff88fb1..9d5ec3342a 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -4,7 +4,7 @@ description: Learn more about the EnterpriseModernAppManagement CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # EnterpriseModernAppManagement CSP + The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../enterprise-app-management.md). > [!NOTE] @@ -273,6 +274,7 @@ Used to perform app installation. + This is a required node. @@ -312,6 +314,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + This is an optional node. > [!NOTE] @@ -329,6 +332,7 @@ This is an optional node. + **Example**: Here's an example for uninstalling an app: @@ -374,6 +378,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -424,6 +429,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -464,6 +470,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -504,6 +511,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -544,6 +552,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -662,6 +671,7 @@ Used to manage licenses for store apps. + This is a required node. @@ -701,6 +711,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -741,6 +752,7 @@ Command to add license. + This is a required node. @@ -780,6 +792,7 @@ Command to get license from the store. + This is a required node. @@ -936,6 +949,7 @@ Used for inventory and app management (post-install). + This is a required node. @@ -975,6 +989,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -1016,6 +1031,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -1057,6 +1073,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -1070,6 +1087,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -1108,6 +1126,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -1147,6 +1166,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -1162,6 +1182,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -1247,6 +1268,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1287,6 +1309,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -1326,6 +1349,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -1405,6 +1429,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -1484,6 +1509,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -1562,6 +1588,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -1641,6 +1668,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -1683,6 +1711,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -1723,6 +1752,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -1806,6 +1836,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -1854,6 +1885,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -1909,6 +1941,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -1931,6 +1964,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -2019,6 +2053,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -2294,6 +2329,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -2332,6 +2368,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -2371,6 +2408,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -2386,6 +2424,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -2471,6 +2510,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2511,6 +2551,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -2550,6 +2591,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -2629,6 +2671,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -2708,6 +2751,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -2786,6 +2830,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -2865,6 +2910,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -2907,6 +2953,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -2947,6 +2994,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -3030,6 +3078,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -3078,6 +3127,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -3133,6 +3183,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -3155,6 +3206,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -3555,6 +3607,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -3594,6 +3647,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -3675,6 +3729,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3715,6 +3770,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -3754,6 +3810,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -3833,6 +3890,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -3912,6 +3970,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -3990,6 +4049,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -4069,6 +4129,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -4111,6 +4172,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -4151,6 +4213,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -4766,6 +4829,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -4814,6 +4878,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -4869,6 +4934,7 @@ This setting allows the IT admin to set an app to be nonremovable, or unable to + NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults. @@ -4891,6 +4957,7 @@ NonRemovable requires admin permission. This setting can only be defined per dev + **Examples**: - Add an app to the nonremovable app policy list @@ -5253,6 +5320,7 @@ Used to start the Windows Update scan. + This is a required node. @@ -5331,6 +5399,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -5346,6 +5415,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -5391,6 +5461,7 @@ Command to perform an install of an app package from a hosted location (this can + This is a required node. The following list shows the supported deployment options: - ForceApplicationShutdown @@ -5441,6 +5512,7 @@ Last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5481,6 +5553,7 @@ Description of last error relating to the app installation. + > [!NOTE] > This element isn't present after the app is installed. @@ -5521,6 +5594,7 @@ An integer the indicates the progress of the app installation. For https locatio + > [!NOTE] > This element isn't present after the app is installed. @@ -5561,6 +5635,7 @@ Status of app installation. The following values are returned: NOT_INSTALLED (0) + > [!NOTE] > This element isn't present after the app is installed. @@ -5718,6 +5793,7 @@ License ID for a store installed app. The license ID is generally the PFN of the + This is an optional node. @@ -5758,6 +5834,7 @@ Command to add license. + This is a required node. @@ -5797,6 +5874,7 @@ Command to get license from the store. + This is a required node. @@ -5992,6 +6070,7 @@ Specifies the query for app inventory. + This is a required node. Query parameters: - Output - Specifies the parameters for the information returned in AppInventoryResults operation. Multiple value must be separate by |. Valid values are: @@ -6031,6 +6110,7 @@ This is a required node. Query parameters: + **Example**: The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. @@ -6072,6 +6152,7 @@ Returns the results for app inventory that was created after the AppInventoryQue + This is a required node. @@ -6085,6 +6166,7 @@ This is a required node. + **Example**: Here's an example of AppInventoryResults operation. @@ -6123,6 +6205,7 @@ Here's an example of AppInventoryResults operation. + This is a required node. Used for managing apps from the Microsoft Store. @@ -6162,6 +6245,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -6177,6 +6261,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: Here's an example for uninstalling an app: @@ -6262,6 +6347,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6302,6 +6388,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -6341,6 +6428,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -6420,6 +6508,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -6499,6 +6588,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -6577,6 +6667,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -6656,6 +6747,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -6698,6 +6790,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -6738,6 +6831,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. Possible values: - 0 = Not Installed @@ -6821,6 +6915,7 @@ Interior node for all managed app setting values. + > [!NOTE] > This node is only supported in the user context. @@ -6861,6 +6956,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -6875,6 +6971,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -6933,6 +7030,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -6981,6 +7079,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). |Applicability Setting |CSP state |Result | @@ -7036,6 +7135,7 @@ Interior node for the managing updates through the Microsoft Store. These settin + > [!NOTE] > ReleaseManagement settings only apply to updates through the Microsoft Store. @@ -7311,6 +7411,7 @@ Reports the last error code returned by the update scan. + This is a required node. @@ -7349,6 +7450,7 @@ This is a required node. + Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store. @@ -7388,6 +7490,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -7403,6 +7506,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + ```xml @@ -7484,6 +7588,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7524,6 +7629,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -7563,6 +7669,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -7642,6 +7749,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -7721,6 +7829,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. Value type is int. @@ -7801,6 +7910,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -7880,6 +7990,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -7922,6 +8033,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -7962,6 +8074,7 @@ Registered users of the app and the package install state. If the query is at th + Requried. - Not Installed = 0 @@ -8045,6 +8158,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -8084,6 +8198,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -8098,6 +8213,7 @@ This setting only works for apps that support the feature and it's only supporte + The following example sets the value for the 'Server' ```xml @@ -8154,6 +8270,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -8202,6 +8319,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -8531,6 +8649,7 @@ Used to remove packages. + Parameters: - Package @@ -8551,6 +8670,7 @@ Parameters: + **Example**: The following example removes a package for all users: @@ -8632,6 +8752,7 @@ Used to restore the Windows app to its initial configuration. + Reports apps installed as part of the operating system. @@ -8671,6 +8792,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + > [!NOTE] > XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. @@ -8686,6 +8808,7 @@ Package family name (PFN) of the app. There is one for each PFN on the device wh + **Example**: ```xml @@ -8769,6 +8892,7 @@ Architecture of installed package. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8809,6 +8933,7 @@ Date the app was installed. Value type is string. + This is a required node. @@ -8848,6 +8973,7 @@ Install location of the app on the device. Value type is string. + > [!NOTE] > Not applicable to XAP files. @@ -8927,6 +9053,7 @@ Whether or not the app is a framework package. Value type is int. The value is 1 + > [!NOTE] > Not applicable to XAP files. @@ -9006,6 +9133,7 @@ This node is used to identify whether the package is a stub package. A stub pack + The value is 1 if the package is a stub package and 0 (zero) for all other cases. @@ -9084,6 +9212,7 @@ Provides information about the status of the package. Value type is int. Valid v + > [!NOTE] > Not applicable to XAP files. @@ -9163,6 +9292,7 @@ Specifies whether the package state has changed and requires a reinstallation of + This is a required node. > [!NOTE] @@ -9205,6 +9335,7 @@ Resource ID of the app. This is null for the main app, ~ for a bundle, and conta + > [!NOTE] > Not applicable to XAP files. @@ -9245,6 +9376,7 @@ Registered users of the app and the package install state. If the query is at th + This is a required node. - 0 = Not Installed @@ -9328,6 +9460,7 @@ Interior node for all managed app setting values. + This node is only supported in the user context. @@ -9367,6 +9500,7 @@ The SettingValue and data represent a key value pair to be configured for the ap + This setting only works for apps that support the feature and it's only supported in the user context. @@ -9381,6 +9515,7 @@ This setting only works for apps that support the feature and it's only supporte + **Examples**: - The following example sets the value for the 'Server' @@ -9439,6 +9574,7 @@ Specifies whether you want to block a specific app from being updated via auto-u + This is a required node. @@ -9487,6 +9623,7 @@ Specify whether on a AMD64 device, across an app update, the architecture of the + Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (Most restrictive wins). | Applicability Setting | CSP state | Result | @@ -9816,6 +9953,7 @@ Used to start the Windows Update scan. + This is a required node. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index c5b31e1372..dd6206ae17 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,9 +16,6 @@ ms.topic: reference # Firewall CSP -> [!IMPORTANT] -> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. - The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. @@ -99,11 +96,11 @@ The following list shows the Firewall configuration service provider nodes: - [HyperVFirewallRules](#mdmstorehypervfirewallrules) - [{FirewallRuleName}](#mdmstorehypervfirewallrulesfirewallrulename) - [Action](#mdmstorehypervfirewallrulesfirewallrulenameaction) - - [Type](#mdmstorehypervfirewallrulesfirewallrulenameactiontype) - [Direction](#mdmstorehypervfirewallrulesfirewallrulenamedirection) - [Enabled](#mdmstorehypervfirewallrulesfirewallrulenameenabled) - [LocalAddressRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocaladdressranges) - [LocalPortRanges](#mdmstorehypervfirewallrulesfirewallrulenamelocalportranges) + - [Name](#mdmstorehypervfirewallrulesfirewallrulenamename) - [Priority](#mdmstorehypervfirewallrulesfirewallrulenamepriority) - [Profiles](#mdmstorehypervfirewallrulesfirewallrulenameprofiles) - [Protocol](#mdmstorehypervfirewallrulesfirewallrulenameprotocol) @@ -111,12 +108,6 @@ The following list shows the Firewall configuration service provider nodes: - [RemotePortRanges](#mdmstorehypervfirewallrulesfirewallrulenameremoteportranges) - [Status](#mdmstorehypervfirewallrulesfirewallrulenamestatus) - [VMCreatorId](#mdmstorehypervfirewallrulesfirewallrulenamevmcreatorid) - - [HyperVLoopbackRules](#mdmstorehypervloopbackrules) - - [{RuleName}](#mdmstorehypervloopbackrulesrulename) - - [DestinationVMCreatorId](#mdmstorehypervloopbackrulesrulenamedestinationvmcreatorid) - - [Enabled](#mdmstorehypervloopbackrulesrulenameenabled) - - [PortRanges](#mdmstorehypervloopbackrulesrulenameportranges) - - [SourceVMCreatorId](#mdmstorehypervloopbackrulesrulenamesourcevmcreatorid) - [HyperVVMSettings](#mdmstorehypervvmsettings) - [{VMCreatorId}](#mdmstorehypervvmsettingsvmcreatorid) - [AllowHostPolicyMerge](#mdmstorehypervvmsettingsvmcreatoridallowhostpolicymerge) @@ -1791,7 +1782,7 @@ Specifies the description of the rule. -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -1935,7 +1926,7 @@ If not specified - a new rule is disabled by default. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 21H1 [10.0.19043] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -2087,6 +2078,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -2166,7 +2158,8 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - + +Specifies the friendly name of the firewall rule. @@ -2194,7 +2187,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 22H2 [10.0.19045.2913] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1880] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1635] and later | @@ -2205,7 +2198,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. -Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". +Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -2431,6 +2424,7 @@ An IPv6 address range in the format of "start address - end address" with no spa Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. +When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). @@ -3122,7 +3116,9 @@ Unique alpha numeric identifier for the rule. The rule name must not include a f -Specifies the action for the rule. +Specifies the action the rule enforces: +0 - Block +1 - Allow. @@ -3132,68 +3128,27 @@ Specifies the action for the rule. **Description framework properties**: -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -###### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Action/Type -``` - - - - -Specifies the action the rule enforces: -0 - Block -1 - Allow. - - - - - - - -**Description framework properties**: - | Property name | Property value | |:--|:--| | Format | int | | Access Type | Get, Replace | | Default Value | 1 | - + - + **Allowed values**: | Value | Description | |:--|:--| | 0 | Block. | | 1 (Default) | Allow. | - + - + - + - + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Direction @@ -3212,7 +3167,7 @@ Specifies the action the rule enforces: -Comma separated list. The rule is enabled based on the traffic direction as following. +The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -3385,6 +3340,45 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the + +##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | + + + +```Device +./Vendor/MSFT/Firewall/MdmStore/HyperVFirewallRules/{FirewallRuleName}/Name +``` + + + + +Specifies the friendly name of the Hyper-V Firewall rule. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | + + + + + + + + ##### MdmStore/HyperVFirewallRules/{FirewallRuleName}/Priority @@ -3402,7 +3396,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the -0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. +This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -3416,7 +3410,7 @@ Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-255]` | +| Allowed Values | Range: `[0-65535]` | @@ -3679,255 +3673,6 @@ This field specifies the VM Creator ID that this rule is applicable to. A NULL G - -### MdmStore/HyperVLoopbackRules - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules -``` - - - - -A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -#### MdmStore/HyperVLoopbackRules/{RuleName} - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName} -``` - - - - -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Add, Delete, Get, Replace | -| Atomic Required | True | -| Dynamic Node Naming | ServerGeneratedUniqueIdentifier | -| Allowed Values | Regular Expression: `^[^|/]*$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/DestinationVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/Enabled - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/Enabled -``` - - - - -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | bool | -| Access Type | Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disabled. | -| 1 | Enabled. | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/PortRanges -``` - - - - -Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `^[0-9,-]+$` | - - - - - - - - - -##### MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later | - - - -```Device -./Vendor/MSFT/Firewall/MdmStore/HyperVLoopbackRules/{RuleName}/SourceVMCreatorId -``` - - - - -This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Regular Expression: `\{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\}` | - - - - - - - - ### MdmStore/HyperVVMSettings @@ -4026,7 +3771,7 @@ VM Creator ID that these settings apply to. Valid format is a GUID. -This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. +This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -4075,7 +3820,7 @@ This value is used as an on/off switch. If this value is true, applicable host f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4125,7 +3870,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4213,7 +3958,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4263,7 +4008,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4313,7 +4058,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4363,7 +4108,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4412,7 +4157,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. +This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -4434,8 +4179,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | @@ -4548,7 +4293,7 @@ This value is an on/off switch for loopback traffic. This determines if this VM -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4598,7 +4343,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4648,7 +4393,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4698,7 +4443,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4785,7 +4530,7 @@ This value is an on/off switch for the firewall and advanced security enforcemen -This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. +This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -4835,7 +4580,7 @@ This value is used as an on/off switch. If this value is false, firewall rules f -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -4885,7 +4630,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. +This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -4935,7 +4680,7 @@ This value is the action that the firewall does by default (and evaluates at the -This value is an on/off switch for the firewall and advanced security enforcement. +This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -4957,8 +4702,8 @@ This value is an on/off switch for the firewall and advanced security enforcemen | Value | Description | |:--|:--| -| false | Disable Firewall. | -| true (Default) | Enable Firewall. | +| false | Disable Hyper-V Firewall. | +| true (Default) | Enable Hyper-V Firewall. | diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 4eb6ee5f96..6fd0b6982d 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2855,7 +2855,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is an on/off switch for the Hyper-V Firewall. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2871,11 +2871,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -2888,7 +2888,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2918,7 +2918,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -2934,7 +2934,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. This value controls the settings for all profiles. It is recommended to instead use the profile setting value under the profile subtree. @@ -2964,7 +2964,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3012,7 +3012,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V firewall. + This value is used as an on/off switch. If this value is true, applicable host firewall rules and settings will be applied to Hyper-V Firewall. @@ -3063,7 +3063,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3096,7 +3096,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3126,7 +3126,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3142,7 +3142,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3172,7 +3172,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3187,7 +3187,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3217,7 +3217,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3252,7 +3252,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3285,7 +3285,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3315,7 +3315,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3331,7 +3331,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3361,7 +3361,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3376,7 +3376,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3406,7 +3406,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3441,7 +3441,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is an on/off switch for the firewall and advanced security enforcement. + This value is an on/off switch for the Hyper-V Firewall enforcement. @@ -3457,11 +3457,11 @@ The following XML file contains the device description framework (DDF) for the F false - Disable Firewall + Disable Hyper-V Firewall true - Enable Firewall + Enable Hyper-V Firewall @@ -3474,7 +3474,7 @@ The following XML file contains the device description framework (DDF) for the F 0 - This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. @@ -3504,7 +3504,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3520,7 +3520,7 @@ The following XML file contains the device description framework (DDF) for the F 1 - This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. + This value is the action that the Hyper-V Firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. @@ -3550,7 +3550,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3565,7 +3565,7 @@ The following XML file contains the device description framework (DDF) for the F true - This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions. + This value is used as an on/off switch. If this value is false, Hyper-V Firewall rules from the local store are ignored and not enforced. @@ -3595,7 +3595,7 @@ The following XML file contains the device description framework (DDF) for the F true - Enable Firewall + Enable Hyper-V Firewall @@ -3818,7 +3818,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3846,7 +3849,10 @@ ServiceName - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + + Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. + When setting this field in a firewall rule, the protocol field must also be set, to either 6 (TCP) or 17 (UDP). + @@ -3878,6 +3884,8 @@ ServiceName String value. Multiple ICMP type+code pairs can be included in the string by separating each value with a ",". If more than one ICMP type+code pair is specified, the strings must be separated by a comma. To specify all ICMP types and codes, use the "*" character. For specific ICMP types and codes, use the ":" to separate the type and code. The following are valid examples: 3:4 or 1:*. The "*" character can be used to represent any code. The "*" character can't be used to specify any type, examples such as "*:4" or "*:*" are invalid. + + When setting this field in a firewall rule, the protocol field must also be set, to either 1 (ICMP) or 58 (IPv6-ICMP). @@ -3892,7 +3900,7 @@ ServiceName - 10.0.19043 + 10.0.20348 1.0 @@ -3909,7 +3917,7 @@ ServiceName - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4172,7 +4180,7 @@ If not specified - a new rule is disabled by default. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4328,7 +4336,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". + Specifies one WDAC tag. This is a string that can contain any alphanumeric character and any of the characters ":", "/", ".", and "_". A PolicyAppId and ServiceName cannot be specified in the same rule. @@ -4342,7 +4350,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 99.9.99999 + 10.0.19045.2913, 10.0.22621.1635, 10.0.22000.1880 1.1 @@ -4380,6 +4388,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. + Specifies the friendly name of the firewall rule. @@ -4457,7 +4466,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - 0-255 number representing the IANA Internet Protocol (TCP = 6, UDP = 17). If not specified the default is All. + This value represents the order of rule enforcement. A lower priority rule is evaluated first. If not specified, block rules are evaluated before allow rules. If priority is configured, it is highly recommended to configure the value for ALL rules to ensure expected evaluation of rules. @@ -4471,7 +4480,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. - [0-255] + [0-65535] @@ -4483,7 +4492,7 @@ This is a string in Security Descriptor Definition Language (SDDL) format.. OUT - Comma separated list. The rule is enabled based on the traffic direction as following. + The rule is enabled based on the traffic direction as following. IN - the rule applies to inbound traffic. OUT - the rule applies to outbound traffic. @@ -4577,7 +4586,7 @@ If not specified the detault is OUT. - Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. + Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value. Valid tokens include: "*" indicates any local address. If present, this must be the only token included. @@ -4695,10 +4704,14 @@ An IPv6 address range in the format of "start address - end address" with no spa + - Specifies the action for the rule. + 1 + Specifies the action the rule enforces: +0 - Block +1 - Allow - + @@ -4707,44 +4720,19 @@ An IPv6 address range in the format of "start address - end address" with no spa - + + + + 0 + Block + + + 1 + Allow + + - - Type - - - - - - 1 - Specifies the action the rule enforces: -0 - Block -1 - Allow - - - - - - - - - - - - - - - 0 - Block - - - 1 - Allow - - - - Enabled @@ -4785,7 +4773,7 @@ If not specified - a new rule is disabled by default. - Provides information about the specific verrsion of the rule in deployment for monitoring purposes. + Provides information about the specific version of the rule in deployment for monitoring purposes. @@ -4840,62 +4828,8 @@ If not specified - a new rule is disabled by default. - - - - HyperVLoopbackRules - - - - - A list of rules controlling loopback traffic through the Windows Firewall. This enforcement is only for traffic from one container to another or to the host device. These rules are all allow rules. - - - - - - - - - - - - - - - - - - - - - - - - Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/). - - - - - - - - - - RuleName - - - - - - - - ^[^|/]*$ - - - - SourceVMCreatorId + Name @@ -4903,12 +4837,12 @@ If not specified - a new rule is disabled by default. - This field specifies the VM Creator ID of the source of the traffic that this rule applies to. If not specified, this applies to All. + Specifies the friendly name of the Hyper-V Firewall rule. - + @@ -4916,96 +4850,6 @@ If not specified - a new rule is disabled by default. - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - DestinationVMCreatorId - - - - - - - - This field specifies the VM Creator ID of the destination of traffic that this rule applies to. If not specified, this applies to All. - - - - - - - - - - - - - - \{[0-9A-Fa-f]{8}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{4}\-[0-9A-Fa-f]{12}\} - - - - - PortRanges - - - - - - - - Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All. - - - - - - - - - - - - - - ^[0-9,-]+$ - - - - - - Enabled - - - - - - Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. If not specified - a new rule is disabled by default. - - - - - - - - - - - - - - - 0 - Disabled - - - 1 - Enabled - - diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md index b5c76b1b14..004ac731d2 100644 --- a/windows/client-management/mdm/laps-csp.md +++ b/windows/client-management/mdm/laps-csp.md @@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/27/2023 +ms.date: 04/07/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,15 +16,12 @@ ms.topic: reference # LAPS CSP -> [!IMPORTANT] -> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. - The Local Administrator Password Solution (LAPS) configuration service provider (CSP) is used by the enterprise to manage back up of local administrator account passwords. Windows supports a LAPS Group Policy Object that is entirely separate from the LAPS CSP. Many of the various settings are common across both the LAPS GPO and CSP (GPO does not support any of the Action-related settings). As long as at least one LAPS setting is configured via CSP, any GPO-configured settings will be ignored. Also see [Configure policy settings for Windows LAPS](/windows-server/identity/laps/laps-management-policy-settings). > [!NOTE] -> Windows LAPS currently is available only in [Windows 11 Insider Preview Build 25145 and later](/windows-insider/flight-hub/#active-development-builds-of-windows-11). Support for the Windows LAPS Azure Active Directory scenario is currently in private preview, and limited to a small number of customers who have a direct engagement with engineering. Once public preview is declared in 2023, all customers will be able to evaluate this AAD scenario. +> For more information on specific OS updates required to use the Windows LAPS CSP and associated features, plus the current status of the Azure Active Directory LAPS scenario, see [Windows LAPS availability and Azure AD LAPS public preview status](/windows-server/identity/laps/laps-overview#windows-laps-supported-platforms-and-azure-ad-laps-preview-status). > [!TIP] > This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps). @@ -57,7 +54,7 @@ The following list shows the LAPS configuration service provider nodes: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -96,7 +93,7 @@ Defines the parent interior node for all action-related settings in the LAPS CSP | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -136,7 +133,7 @@ This action invokes an immediate reset of the local administrator account passwo | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -181,7 +178,7 @@ The value returned is an HRESULT code: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -221,7 +218,7 @@ Root node for LAPS policies. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -271,7 +268,7 @@ This setting has a maximum allowed value of 12 passwords. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -316,7 +313,7 @@ If specified, the specified account's password will be managed. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -378,7 +375,7 @@ If not specified, this setting defaults to True. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -434,7 +431,7 @@ If the specified user or group account is invalid the device will fallback to us | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -492,7 +489,7 @@ If not specified, this setting will default to 0. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -540,7 +537,7 @@ This setting has a maximum allowed value of 365 days. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -602,7 +599,7 @@ If not specified, this setting will default to 4. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -658,7 +655,7 @@ If not specified, this setting defaults to True. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -705,7 +702,7 @@ This setting has a maximum allowed value of 64 characters. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | @@ -762,7 +759,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1663] and later
:heavy_check_mark: [10.0.25145] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.4244] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2784] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1754] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621.1480] and later | diff --git a/windows/client-management/mdm/laps-ddf-file.md b/windows/client-management/mdm/laps-ddf-file.md index 35784361d4..d9f29bb7d6 100644 --- a/windows/client-management/mdm/laps-ddf-file.md +++ b/windows/client-management/mdm/laps-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 04/07/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -45,7 +45,7 @@ The following XML file contains the device description framework (DDF) for the L - 99.9.99999 + 10.0.25145, 10.0.22621.1480, 10.0.22000.1754, 10.0.20348.1663, 10.0.19041.2784, 10.0.17763.4244 1.0 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index dad200f3b6..b225f2f4c3 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -2,12 +2,12 @@ title: MultiSIM CSP description: MultiSIM configuration service provider (CSP) allows the enterprise to manage devices with dual SIM single active configuration. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/22/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md index 492326bc04..55f8ef2b32 100644 --- a/windows/client-management/mdm/multisim-ddf.md +++ b/windows/client-management/mdm/multisim-ddf.md @@ -2,12 +2,12 @@ title: MultiSIM DDF file description: XML file containing the device description framework for the MultiSIM configuration service provider. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 02/27/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index 95cd0ee469..801f6fc15d 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -1,10 +1,10 @@ --- title: NAP CSP description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 615e9f4a47..4af7ac6717 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -1,10 +1,10 @@ --- title: NAPDEF CSP description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index a937496bd1..e172fe94a5 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -106,7 +106,7 @@ This policy specifies the Tenant ID in the format of a Globally Unique Identifie -To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). +To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). @@ -1831,7 +1831,7 @@ This policy specifies the Tenant ID in the format of a Globally Unique Identifie -To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). +To get the GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell). diff --git a/windows/client-management/mdm/personaldataencryption-csp.md b/windows/client-management/mdm/personaldataencryption-csp.md index af0cf9f34d..9477520647 100644 --- a/windows/client-management/mdm/personaldataencryption-csp.md +++ b/windows/client-management/mdm/personaldataencryption-csp.md @@ -4,7 +4,7 @@ description: Learn more about the PDE CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/14/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,13 +26,7 @@ The following list shows the PDE configuration service provider nodes: - ./User/Vendor/MSFT/PDE - [EnablePersonalDataEncryption](#enablepersonaldataencryption) - - [ProtectFolders](#protectfolders) - - [ProtectDesktop](#protectfoldersprotectdesktop) - - [ProtectDocuments](#protectfoldersprotectdocuments) - - [ProtectPictures](#protectfoldersprotectpictures) - [Status](#status) - - [FolderProtectionStatus](#statusfolderprotectionstatus) - - [FoldersProtected](#statusfoldersprotected) - [PersonalDataEncryptionStatus](#statuspersonaldataencryptionstatus) @@ -85,188 +79,6 @@ The [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.u - -## ProtectFolders - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/PDE/ProtectFolders -``` - - - - - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | node | -| Access Type | Get | - - - - - - - - - -### ProtectFolders/ProtectDesktop - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDesktop -``` - - - - -Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. | -| 1 | Enable PDE on the folder. | - - - - - - - - - -### ProtectFolders/ProtectDocuments - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/PDE/ProtectFolders/ProtectDocuments -``` - - - - -Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. | -| 1 | Enable PDE on the folder. | - - - - - - - - - -### ProtectFolders/ProtectPictures - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/PDE/ProtectFolders/ProtectPictures -``` - - - - -Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. | -| 1 | Enable PDE on the folder. | - - - - - - - - ## Status @@ -309,95 +121,6 @@ Reports the current status of Personal Data Encryption (PDE) for the user. - -### Status/FolderProtectionStatus - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/PDE/Status/FolderProtectionStatus -``` - - - - -This node reports folder protection status for a user. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Get | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 | Protection not started. | -| 1 | Protection is completed with no failures. | -| 2 | Protection in progress. | -| 3 | Protection failed. | - - - - - - - - - -### Status/FoldersProtected - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:x: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```User -./User/Vendor/MSFT/PDE/Status/FoldersProtected -``` - - - - -This node reports all folders (full path to each folder) that have been protected. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Get | - - - - - - - - ### Status/PersonalDataEncryptionStatus diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index b5425cab46..1d5d233812 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -83,128 +83,6 @@ The following XML file contains the device description framework (DDF) for the P - - ProtectFolders - - - - - - - - - - - - - - - - - - - ProtectDocuments - - - - - - - - Allows the Admin to enable PDE on Documents folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectDesktop - - - - - - - - Allows the Admin to enable PDE on Desktop folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - - ProtectPictures - - - - - - - - Allows the Admin to enable PDE on Pictures folder. Set to '1' to set this policy. - - - - - - - - - - - - - - - 0 - Disable PDE on the folder. If the folder is currently protected by PDE, this will result in unprotecting the folder. - - - 1 - Enable PDE on the folder. - - - - - Status @@ -245,66 +123,6 @@ The following XML file contains the device description framework (DDF) for the P - - FolderProtectionStatus - - - - - This node reports folder protection status for a user. - - - - - - - - - - - - - - - 0 - Protection not started. - - - 1 - Protection is completed with no failures. - - - 2 - Protection in progress. - - - 3 - Protection failed. - - - - - - FoldersProtected - - - - - This node reports all folders (full path to each folder) that have been protected. - - - - - - - - - - - - - - diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 08332c2601..404381b85a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index 6aba70d787..f9aa11914a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -340,9 +340,6 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [ClearTextPassword](policy-csp-devicelock.md) - [PasswordComplexity](policy-csp-devicelock.md) - [PasswordHistorySize](policy-csp-devicelock.md) -- [AccountLockoutThreshold](policy-csp-devicelock.md) -- [AccountLockoutDuration](policy-csp-devicelock.md) -- [ResetAccountLockoutCounterAfter](policy-csp-devicelock.md) - [AllowAdministratorLockout](policy-csp-devicelock.md) ## Display @@ -689,7 +686,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) - [DisableControlCenter](policy-csp-start.md) - [ForceStartSize](policy-csp-start.md) @@ -700,7 +697,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [StartLayout](policy-csp-start.md) - [ConfigureStartPins](policy-csp-start.md) - [HideRecommendedSection](policy-csp-start.md) -- [HideRecoPersonalizedSites](policy-csp-start.md) +- [HideRecommendedPersonalizedSites](policy-csp-start.md) - [SimplifyQuickSettings](policy-csp-start.md) - [DisableEditingQuickSettings](policy-csp-start.md) - [HideTaskViewButton](policy-csp-start.md) @@ -884,7 +881,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DenyLogOnAsBatchJob](policy-csp-userrights.md) - [LogOnAsService](policy-csp-userrights.md) - [IncreaseProcessWorkingSet](policy-csp-userrights.md) -- [DenyServiceLogonRight](policy-csp-userrights.md) +- [DenyLogOnAsService](policy-csp-userrights.md) ## VirtualizationBasedTechnology @@ -897,7 +894,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [NotifyMalicious](policy-csp-webthreatdefense.md) - [NotifyPasswordReuse](policy-csp-webthreatdefense.md) - [NotifyUnsafeApp](policy-csp-webthreatdefense.md) -- [CaptureThreatWindow](policy-csp-webthreatdefense.md) +- [AutomaticDataCollection](policy-csp-webthreatdefense.md) ## Wifi diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md index 0bdb057669..2329114e1b 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md @@ -4,7 +4,7 @@ description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Co ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md index d610e84f01..631059455e 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by HoloLens (1st g ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md index b34eebfedb..e45320b0b7 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by HoloLens 2. ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft @@ -24,14 +24,15 @@ ms.date: 02/03/2023 - [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname) - [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode) - [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#localdevicename) -- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) -- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) -- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) -- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) -- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) -- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) -- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) +- [Browser/AllowAutofill](policy-csp-browser.md#allowautofill) 13 +- [Browser/AllowCookies](policy-csp-browser.md#allowcookies) 13 +- [Browser/AllowDoNotTrack](policy-csp-browser.md#allowdonottrack) 13 +- [Browser/AllowPasswordManager](policy-csp-browser.md#allowpasswordmanager) 13 +- [Browser/AllowPopups](policy-csp-browser.md#allowpopups) 13 +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar) 13 +- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen) 13 - [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth) +- [Connectivity/AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices) 12 - [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection) - [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10 - [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10 @@ -66,7 +67,6 @@ ms.date: 02/03/2023 - [MixedReality/ConfigureNtpClient](./policy-csp-mixedreality.md#configurentpclient) 12 - [MixedReality/DisallowNetworkConnectivityPassivePolling](./policy-csp-mixedreality.md#disallownetworkconnectivitypassivepolling) 12 - [MixedReality/FallbackDiagnostics](./policy-csp-mixedreality.md#fallbackdiagnostics) 9 -- [MixedReality/HeadTrackingMode](policy-csp-mixedreality.md#headtrackingmode) 9 - [MixedReality/ManualDownDirectionDisabled](policy-csp-mixedreality.md#manualdowndirectiondisabled) *[Feb. 2022 Servicing release](/hololens/hololens-release-notes#windows-holographic-version-21h2---february-2022-update) - [MixedReality/MicrophoneDisabled](./policy-csp-mixedreality.md#microphonedisabled) 9 - [MixedReality/NtpClientEnabled](./policy-csp-mixedreality.md#ntpclientenabled) 12 @@ -74,14 +74,13 @@ ms.date: 02/03/2023 - [MixedReality/SkipTrainingDuringSetup](./policy-csp-mixedreality.md#skiptrainingduringsetup) 12 - [MixedReality/VisitorAutoLogon](policy-csp-mixedreality.md#visitorautologon) 10 - [MixedReality/VolumeButtonDisabled](./policy-csp-mixedreality.md#volumebuttondisabled) 9 -- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9 -- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9 -- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9 -- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9 -- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9 -- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9 +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#displayofftimeoutonbattery) 9, 14 +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#displayofftimeoutpluggedin) 9, 14 +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#energysaverbatterythresholdonbattery) 9, 14 +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#energysaverbatterythresholdpluggedin) 9, 14 +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#standbytimeoutonbattery) 9, 14 +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#standbytimeoutpluggedin) 9, 14 - [Privacy/AllowInputPersonalization](policy-csp-privacy.md#allowinputpersonalization) -- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#disableprivacyexperience) Insider - [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#letappsaccessaccountinfo) - [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forceallowtheseapps) - [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessaccountinfo_forcedenytheseapps) @@ -99,6 +98,9 @@ ms.date: 02/03/2023 - [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8 - [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8 - [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation) +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](/windows/client-management/mdm/policy-csp-privacy) 12 - [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone) - [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8 - [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8 @@ -115,10 +117,11 @@ ms.date: 02/03/2023 - [Storage/ConfigStorageSenseCloudContentDehydrationThreshold](policy-csp-storage.md#configstoragesensecloudcontentdehydrationthreshold) 12 - [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12 - [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12 -- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline) - [System/AllowLocation](policy-csp-system.md#allowlocation) - [System/AllowStorageCard](policy-csp-system.md#allowstoragecard) - [System/AllowTelemetry](policy-csp-system.md#allowtelemetry) +- [System/ConfigureTelemetryOptInSettingsUx](/windows/client-management/mdm/policy-csp-system) 12 +- [System/DisableDeviceDelete](/windows/client-management/mdm/policy-csp-system) 12 - [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9 - [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9 - [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9 @@ -160,8 +163,15 @@ Footnotes: - 10 - Available in [Windows Holographic, version 21H1](/hololens/hololens-release-notes#windows-holographic-version-21h1) - 11 - Available in [Windows Holographic, version 21H2](/hololens/hololens-release-notes#windows-holographic-version-21h2) - 12 - Available in [Windows Holographic, version 22H2](/hololens/hololens-release-notes#windows-holographic-version-22h2) +- 13 - Refer to [Configuring Policy Settings for the New Microsoft Edge](/hololens/hololens-new-edge#configuring-policy-settings-for-the-new-microsoft-edge) +- 14 - Refer to [New Power Policies for Hololens 2](/hololens/hololens-release-notes-2004#new-power-policies-for-hololens-2) - Insider - Available in our current [HoloLens Insider builds](/hololens/hololens-insider). ## Related topics [Policy CSP](policy-configuration-service-provider.md) + +[Full HoloLens CSP Details](/windows/client-management/mdm/configuration-service-provider-support) + + + diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md index e15af01618..a538f58f8d 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 IoT ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index e17a1d7e53..4be961a69f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Windows 10 Team author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -257,6 +257,7 @@ This article lists the policies in Policy CSP that are applicable for the Surfac ## Start +- [HideRecommendedPersonalizedSites](policy-csp-start.md#hiderecommendedpersonalizedsites) - [StartLayout](policy-csp-start.md#startlayout) ## System diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md index 3d2e78b195..b2cb734aa7 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP that can be set using Exchan ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 1eba8fd662..1fc1424bc4 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -4,7 +4,7 @@ description: Learn more about the Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md index 24975f13e3..4fbd4d3169 100644 --- a/windows/client-management/mdm/policy-csp-admx-ncsi.md +++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md @@ -47,6 +47,8 @@ This policy setting enables you to specify the expected address of the host name +> [!NOTE] +> This applies exclusively to DirectAccess clients. @@ -102,6 +104,8 @@ This policy setting enables you to specify the host name of a computer known to +> [!NOTE] +> This applies exclusively to DirectAccess clients. @@ -157,6 +161,8 @@ This policy setting enables you to specify the list of IPv6 corporate site prefi +> [!NOTE] +> This applies exclusively to DirectAccess clients. @@ -212,6 +218,8 @@ This policy setting enables you to specify the URL of the corporate website, aga +> [!NOTE] +> This applies exclusively to DirectAccess clients. @@ -267,6 +275,8 @@ This policy setting enables you to specify the HTTPS URL of the corporate websit +> [!NOTE] +> This indicates the Network Location Server (NLS) URL and applies exclusively to DirectAccess clients (it does NOT apply for example to VPN clients). For non-DirectAccess scenarios, such as Azure AD only joined devices, please refer to [Policy CSP - NetworkListManager](./policy-csp-networklistmanager.md). diff --git a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md index fbc5c518ac..5c5b42532a 100644 --- a/windows/client-management/mdm/policy-csp-admx-sharedfolders.md +++ b/windows/client-management/mdm/policy-csp-admx-sharedfolders.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_SharedFolders Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index f558a57eaa..19a5889d94 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2803,7 +2803,7 @@ This policy setting allows you to audit events generated by attempts to access t - If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. > [!NOTE] -> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume: High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https://go.microsoft.com/fwlink/?LinkId=121698). +> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume: High on domain controllers. diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index b6865f7b07..4d9b9ad115 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -44,15 +44,14 @@ If set to 1 then any MDM policy that is set that has an equivalent GP policy wil > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. -This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. -The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). + +This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. > [!NOTE] > This policy doesn't support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. -The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. -This ensures that: +The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy. This ensures that: - GP settings that correspond to MDM applied settings aren't conflicting - The current Policy Manager policies are refreshed from what MDM has set @@ -65,8 +64,7 @@ The [Policy DDF](configuration-service-provider-ddf.md) contains the following t - \ - \ -For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy -](./policies-in-policy-csp-supported-by-group-policy.md). +For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy](./policies-in-policy-csp-supported-by-group-policy.md). The MDM Diagnostic report shows the applied configurations states of a device including policies, certificates, configuration sources, and resource information. The report includes a list of blocked GP settings because MDM equivalent is configured, if any. To get the diagnostic report, go to **Settings** > **Accounts** > **Access work or school** > and then click the desired work or school account. Scroll to the bottom of the page to **Advanced Diagnostic Report** and then click **Create Report**. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 1f26de308e..8643e7282a 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/27/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1885,8 +1885,8 @@ Same as Disabled. - -This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a |. For example, lib|obj. @@ -1939,8 +1939,8 @@ This policy setting allows you specify a list of file types that should be exclu - -This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name. As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a |. For example, C:\Example|C:\Example1. @@ -1993,8 +1993,11 @@ This policy setting allows you to disable scheduled and real-time scanning for f - -This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. **Note** that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0. + +Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C:\Example. exe|C:\Example1.exe. diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index b65b65b1e4..c86a89adff 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -347,7 +347,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.256] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.2145] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1714] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1151] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 69a26fb46f..80e5d67f50 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -4,7 +4,7 @@ description: Learn more about the DeviceLock Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -30,105 +30,44 @@ ms.topic: reference > The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For more information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types). - -## AccountLockoutDuration + +## AccountLockoutPolicy - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutDuration +./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutPolicy ``` - + - + -Account lockout duration This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - +Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0 Account lockout duration - This security setting determines the number of minutes a locked-out account remains locked out before automatically becoming unlocked. The available range is from 0 minutes through 99,999 minutes. If you set the account lockout duration to 0, the account will be locked out until an administrator explicitly unlocks it. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| -| Format | int | +| Format | chr (string) | | Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-99999]` | -| Default Value | 0 | - + - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout duration | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - + - + - - - -## AccountLockoutThreshold - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/AccountLockoutThreshold -``` - - - - -Account lockout threshold - This security setting determines the number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. You can set a value between 0 and 999 failed logon attempts. If you set the value to 0, the account will never be locked out. Failed password attempts against workstations or member servers that have been locked using either CTRL+ALT+DELETE or password-protected screen savers count as failed logon attempts. Default: 0. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[0-10]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Account lockout threshold | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - + ## AllowAdministratorLockout @@ -162,7 +101,7 @@ Allow Administrator account lockout This security setting determines whether the | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-1]` | -| Default Value | 0 | +| Default Value | 1 | @@ -1165,11 +1104,11 @@ Complexity requirements are enforced when passwords are changed or created. -Minimum password length -This security setting determines the least number of characters that a password for a user account may contain. The maximum value for this setting is dependent on the value of the Relax minimum password length limits setting. If the Relax minimum password length limits setting is not defined, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and disabled, this setting may be configured from 0 to 14. If the Relax minimum password length limits setting is defined and enabled, this setting may be configured from 0 to 128. Setting the required number of characters to 0 means that no password is required. +Enforce password history +This security setting determines the number of unique new passwords that have to be associated with a user account before an old password can be reused. The value must be between 0 and 24 passwords. This policy enables administrators to enhance security by ensuring that old passwords are not reused continually. Default: 24 on domain controllers. 0 on stand-alone servers. > [!NOTE] -> By default, member computers follow the configuration of their domain controllers. Default: 7 on domain controllers. 0 on stand-alone servers. Configuring this setting than 14 may affect compatibility with clients, services, and applications. Microsoft recommends that you only configure this setting larger than 14 after using the Minimum password length audit setting to test for potential incompatibilities at the new setting. +> By default, member computers follow the configuration of their domain controllers. To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were just changed by also enabling the Minimum password age security policy setting. For information about the minimum password age security policy setting, see Minimum password age. @@ -1184,7 +1123,7 @@ This security setting determines the least number of characters that a password | Format | int | | Access Type | Add, Delete, Get, Replace | | Allowed Values | Range: `[0-24]` | -| Default Value | 7 | +| Default Value | 24 | @@ -1192,7 +1131,7 @@ This security setting determines the least number of characters that a password | Name | Value | |:--|:--| -| Name | Minimum password length | +| Name | Enforce password history | | Path | Windows Settings > Security Settings > Account Policies > Password Policy | @@ -1322,56 +1261,6 @@ If you enable this setting, users will no longer be able to modify slide show se - -## ResetAccountLockoutCounterAfter - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/DeviceLock/ResetAccountLockoutCounterAfter -``` - - - - -Reset account lockout counter after - This security setting determines the number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. The available range is 1 minute to 99,999 minutes. If an account lockout threshold is defined, this reset time must be less than or equal to the Account lockout duration. Default: None, because this policy setting only has meaning when an Account lockout threshold is specified. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | Range: `[1-99999]` | -| Default Value | 0 | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Reset account lockout counter after | -| Path | Windows Settings > Security Settings > Account Policies > Account Lockout Policy | - - - - - - - - ## ScreenTimeoutWhileLocked diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md index 58d44e12de..a8a7ae5f57 100644 --- a/windows/client-management/mdm/policy-csp-feeds.md +++ b/windows/client-management/mdm/policy-csp-feeds.md @@ -2,13 +2,13 @@ title: Policy CSP - Feeds description: Use the Policy CSP - Feeds setting policy specifies whether news and interests is allowed on the device. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/17/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 92fda2c42a..d8938e641c 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the InternetExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1428,7 +1428,7 @@ This policy allows the user to go directly to an intranet site for a one-word en | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -2080,7 +2080,7 @@ This policy setting allows you to manage whether Internet Explorer checks for di | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -3403,7 +3403,7 @@ The Home page specified on the General tab of the Internet Options dialog box is | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.1060] and later
:heavy_check_mark: Windows 10, version 1809 [10.0.17763.3460] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.2060] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.1030] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -3599,7 +3599,7 @@ InPrivate Browsing prevents Internet Explorer from storing data about a user's b | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -4486,7 +4486,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.143] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1474] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.906] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | @@ -4552,7 +4552,7 @@ For more information, see | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.558] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1566] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.527] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -7968,7 +7968,7 @@ This policy setting specifies whether JScript or JScript9Legacy is loaded for MS | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | @@ -13390,7 +13390,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.261] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1832] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1266] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000.282] and later
:heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | @@ -16537,7 +16537,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348] and later
:heavy_check_mark: Windows 10, version 1903 [10.0.18362.1350] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.789] and later | diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 870386a6e5..16587b8ce0 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -242,7 +242,6 @@ This policy setting controls hash or checksum algorithms used by the Kerberos cl - "Not Supported" disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. - If you disable or do not configure this policy, each algorithm will assume the "Default" state. -More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found at< https://go.microsoft.com/fwlink/?linkid=2169037>. Events generated by this configuration: 205, 206, 207, 208. diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md index 6f83800c56..ad926281b0 100644 --- a/windows/client-management/mdm/policy-csp-mixedreality.md +++ b/windows/client-management/mdm/policy-csp-mixedreality.md @@ -4,7 +4,7 @@ description: Learn more about the MixedReality Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -86,7 +86,7 @@ Steps to use this policy correctly: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -136,7 +136,7 @@ This opt-in policy can help with the setup of new devices in new areas or new us | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -188,7 +188,7 @@ For more information on the Launcher API, see [Launcher Class (Windows.System) - | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -335,7 +335,7 @@ This policy setting controls if pressing the brightness button changes the brigh | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -386,7 +386,7 @@ For more information, see [Moving platform mode on low dynamic motion moving pla | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -491,7 +491,7 @@ The following XML string is an example of the value for this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -687,7 +687,7 @@ This policy configures behavior of HUP to determine, which algorithm to use for | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -786,7 +786,7 @@ This policy setting controls whether microphone on HoloLens 2 is disabled or not | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -856,7 +856,7 @@ The following example XML string shows the value to enable this policy: | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -907,7 +907,7 @@ This policy configures whether the device will take the user through the eye tra | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | @@ -957,7 +957,7 @@ It skips the training experience of interactions with the hummingbird and Start | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: Unknown [10.0.20348] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:x: Windows SE | :heavy_check_mark: [10.0.20348] and later | diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md index f4fa8a6e6a..507250a860 100644 --- a/windows/client-management/mdm/policy-csp-privacy.md +++ b/windows/client-management/mdm/policy-csp-privacy.md @@ -4,7 +4,7 @@ description: Learn more about the Privacy Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2930,7 +2930,7 @@ If an app is open when this Group Policy object is applied on a device, employee | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -2990,7 +2990,7 @@ This policy setting specifies whether Windows apps can access the human presence | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3040,7 +3040,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | @@ -3090,7 +3090,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.25000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.25000] and later | diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 19a927a634..040fb1fed2 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -4,7 +4,7 @@ description: Learn more about the Start Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1424,6 +1424,68 @@ To validate this policy, do the following steps: + +## HideRecommendedPersonalizedSites + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```User +./User/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + +```Device +./Device/Vendor/MSFT/Policy/Config/Start/HideRecommendedPersonalizedSites +``` + + + + +This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Personalized Website Recommendations shown. | +| 1 | Personalized Website Recommendations hidden. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | HideRecommendedPersonalizedSites | +| Path | StartMenu > AT > StartMenu | + + + + + + + + ## HideRecommendedSection @@ -1493,68 +1555,6 @@ If you enable this policy setting, the Start Menu will no longer show the sectio - -## HideRecoPersonalizedSites - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | - - - -```User -./User/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - -```Device -./Device/Vendor/MSFT/Policy/Config/Start/HideRecoPersonalizedSites -``` - - - - -This policy setting allows you to hide the personalized websites in the recommended section of the Start Menu. If you enable this policy setting, the Start Menu will no longer show personalized website recommendations in the recommended section of the start menu. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | int | -| Access Type | Add, Delete, Get, Replace | -| Default Value | 0 | - - - -**Allowed values**: - -| Value | Description | -|:--|:--| -| 0 (Default) | Personalized Website Recommendations shown. | -| 1 | Personalized Website Recommendations hidden. | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | HideRecoPersonalizedSites | -| Path | StartMenu > AT > StartMenu | - - - - - - - - ## HideRestart diff --git a/windows/client-management/mdm/policy-csp-stickers.md b/windows/client-management/mdm/policy-csp-stickers.md index c977508f6e..d57c186ddb 100644 --- a/windows/client-management/mdm/policy-csp-stickers.md +++ b/windows/client-management/mdm/policy-csp-stickers.md @@ -4,7 +4,7 @@ description: Learn more about the Stickers Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -26,7 +26,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:x: Pro
:x: Enterprise
:x: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/policy-csp-tenantrestrictions.md b/windows/client-management/mdm/policy-csp-tenantrestrictions.md index babefd000e..96f488a077 100644 --- a/windows/client-management/mdm/policy-csp-tenantrestrictions.md +++ b/windows/client-management/mdm/policy-csp-tenantrestrictions.md @@ -4,7 +4,7 @@ description: Learn more about the TenantRestrictions Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -31,7 +31,7 @@ ms.topic: reference | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20348.320] and later
:heavy_check_mark: Windows 10, version 2004 [10.0.19041.1320] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1320] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1320] and later
:heavy_check_mark: Windows 10, version 21H2 [10.0.19044] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later | diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md index 4d0a66c573..7832fbfb73 100644 --- a/windows/client-management/mdm/policy-csp-textinput.md +++ b/windows/client-management/mdm/policy-csp-textinput.md @@ -4,7 +4,7 @@ description: Learn more about the TextInput Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -949,7 +949,7 @@ This Policy setting applies only to Microsoft Traditional Chinese IME. -This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode. The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up. But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard. When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode. This policy corresponds to Show the touch keyboard when not in tablet mode and there's no keyboard attached in the Settings app. +This policy allows the IT admin to control whether the touch keyboard should show up on tapping an edit control. By default, when you tap a textbox, the touch keyboard automatically shows up when there's no keyboard attached. When this policy is enabled, the touch keyboard can be shown or suppressed regardless of the hardware keyboard availability. This policy corresponds to Show the touch keyboard setting in the Settings app. @@ -971,8 +971,9 @@ This policy allows the IT admin to enable the touch keyboard to automatically sh | Value | Description | |:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | +| 0 (Default) | Never. | +| 1 | When no keyboard attached. | +| 2 | Always. | diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 28b396eb2f..a5d3afb700 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -826,12 +826,8 @@ Pause Updates | To prevent Feature Updates from being offered to the device, you - -Enable this policy to specify when to receive Feature Updates. - -Defer Updates | This enables devices to defer taking the next Feature Update available for their current product (or a new product if specified in the Select the target Feature Update version policy). You can defer a Feature Update for up to 14 days for all pre-release channels and up to 365 days for the General Availability Channel. To learn more about the current releases, please see aka.ms/WindowsTargetVersioninfo - -Pause Updates | To prevent Feature Updates from being offered to the device, you can temporarily pause Feature Updates. This pause will remain in effect for 35 days from the specified start date or until the field is cleared. Note, Quality Updates will still be offered even if Feature Updates are paused. + +Specifies the date and time when the IT admin wants to start pausing the Feature Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -955,16 +951,8 @@ If you disable or do not configure this policy, Windows Update will not alter it - -Enable this policy to specify when to receive quality updates. - -You can defer receiving quality updates for up to 30 days. - -To prevent quality updates from being received on their scheduled time, you can temporarily pause quality updates. The pause will remain in effect for 35 days or until you clear the start date field. - -To resume receiving Quality Updates which are paused, clear the start date field. - -If you disable or do not configure this policy, Windows Update will not alter its behavior. + +Specifies the date and time when the IT admin wants to start pausing the Quality Updates. Value type is string (yyyy-mm-dd, ex. 2018-10-28). @@ -3069,6 +3057,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3167,6 +3164,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3265,6 +3271,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3363,6 +3378,15 @@ If the status is set to Not Configured, use of Automatic Updates is not specifie +The ScheduledInstall*week policies operate on numeric days. + +- [ScheduledInstallFirstWeek](#scheduledinstallfirstweek): First week of the month (Days 1-7). +- [ScheduledInstallSecondWeek](#scheduledinstallsecondweek): Second week of the month (Days 8-14). +- [ScheduledInstallThirdWeek](#scheduledinstallthirdweek): Third week of the month (Days 15-21). +- [ScheduledInstallFourthWeek](#scheduledinstallfourthweek): Fourth week of the month (Days 22-31). + +These policies are not exclusive and can be used in any combination. Together with [ScheduledInstallDay](#scheduledinstallday), it defines the ordinal number of a weekday in a month. E.g. [ScheduledInstallSecondWeek](#scheduledinstallsecondweek) + [ScheduledInstallDay](#scheduledinstallday) = 3 is 2nd Tuesday of the month. If the device is unavailable at the scheduled time, it can postpone installation of updates until the next month. + > [!NOTE] > This policy will only take effect if [Update/AllowAutoUpdate](#allowautoupdate) has been configured to option 3 or 4 for scheduled installation. @@ -3657,7 +3681,7 @@ The following rules are followed regarding battery power: - Above 40% - allowed to reboot; - Above 20% - allowed to continue work. -This setting overrides the install deferral behaviour of [AllowAutoUpdate](#allowautoupdate). +This setting overrides the install deferral behavior of [AllowAutoUpdate](#allowautoupdate). These settings are designed for education devices that remain in carts overnight that are left in sleep mode. It is not designed for 1:1 devices. @@ -4062,7 +4086,7 @@ If you disable or do not configure this policy, the default method will be used. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. Allows IT Admins to specify update delays for up to four weeks. Supported values are 0-4, which refers to the number of weeks to defer updates. @@ -4154,7 +4178,7 @@ Allows IT Admins to specify additional upgrade delays for up to 8 months. Suppor - If the **Allow Telemetry** policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. @@ -4813,7 +4837,7 @@ To validate this policy: > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. If the Specify intranet Microsoft update service location policy is enabled, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. If the Allow Telemetry policy is enabled and the Options value is set to 0, then the Defer upgrades by, Defer updates by and Pause Updates and Upgrades settings have no effect. @@ -4915,7 +4939,7 @@ This policy is deprecated. Use Update/RequireUpdateApproval instead. > [!NOTE] -> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](#changes-in-windows-10-version-1607). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. Allows the IT admin to set a device to Semi-Annual Channel train. @@ -5218,6 +5242,27 @@ If you disable or do not configure this policy, the default notification behavio +## Changes in Windows 10, version 1607 + +Here are the new policies added in Windows 10, version 1607. Use these policies for Windows 10, version 1607 devices instead of the older policies + +- ActiveHoursEnd +- ActiveHoursStart +- AllowMUUpdateService +- BranchReadinessLevel +- DeferFeatureUpdatePeriodInDays +- DeferQualityUpdatePeriodInDays +- ExcludeWUDriversInQualityUpdate +- PauseFeatureUpdates +- PauseQualityUpdates + +Here's the list of older policies that are still supported for backward compatibility. You can use these older policies for Windows 10, version 1511 devices. + +- RequireDeferUpgrade +- DeferUpgradePeriod +- DeferUpdatePeriod +- PauseDeferrals + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 113eac5d6c..d901a34a02 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -980,6 +980,58 @@ This security setting determines which accounts are prevented from being able to + +## DenyLogOnAsService + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/UserRights/DenyLogOnAsService +``` + + + + +Deny log on as a service -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. + +> [!NOTE] +> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Add, Delete, Get, Replace | +| Allowed Values | List (Delimiter: `0xF000`) | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | Deny log on as a service | +| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | + + + + + + + + ## DenyRemoteDesktopServicesLogOn @@ -1029,58 +1081,6 @@ This user right determines which users and groups are prohibited from logging on - -## DenyServiceLogonRight - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - - - -```Device -./Device/Vendor/MSFT/Policy/Config/UserRights/DenyServiceLogonRight -``` - - - - -This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies. - -> [!NOTE] -> This security setting does not apply to the System, Local Service, or Network Service accounts. Default: None. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | chr (string) | -| Access Type | Add, Delete, Get, Replace | -| Allowed Values | List (Delimiter: `0xF000`) | - - - -**Group policy mapping**: - -| Name | Value | -|:--|:--| -| Name | Deny log on as a service | -| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment | - - - - - - - - ## EnableDelegation diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md index 3f32d7c225..d92837b542 100644 --- a/windows/client-management/mdm/policy-csp-webthreatdefense.md +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -25,63 +25,63 @@ ms.topic: reference > In Microsoft Intune, this CSP is listed under the **Enhanced Phishing Protection** category. - -## CaptureThreatWindow + +## AutomaticDataCollection - + | Scope | Editions | Applicable OS | |:--|:--|:--| | :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | - + - + ```Device -./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/CaptureThreatWindow +./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection ``` - + - + -Configures Enhanced Phishing Protection notifications to allow to capture the suspicious window on client machines for further threat analysis. - +Automatically collect website or app content when additional analysis is needed to help identify security threats. + - + - + - + **Description framework properties**: | Property name | Property value | |:--|:--| | Format | int | | Access Type | Add, Delete, Get, Replace | -| Default Value | 1 | - +| Default Value | 0 | + - + **Allowed values**: | Value | Description | |:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | - +| 0 (Default) | Disabled. | +| 1 | Enabled. | + - + **Group policy mapping**: | Name | Value | |:--|:--| -| Name | CaptureThreatWindow | +| Name | AutomaticDataCollection | | Path | WebThreatDefense > AT > WindowsComponents > WebThreatDefense | - + - + - + - + ## NotifyMalicious diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md index 5eb3b2dd3e..e538a7928c 100644 --- a/windows/client-management/mdm/policy-csp-wifi.md +++ b/windows/client-management/mdm/policy-csp-wifi.md @@ -4,7 +4,7 @@ description: Learn more about the Wifi Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -228,6 +228,105 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +## AllowWFAQosManagementDSCPToUPMapping + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementDSCPToUPMapping +``` + + + + +Allow or disallow the device to use the DSCP to UP Mapping feature from the Wi-Fi Alliance QOS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 2 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | DSCP to UP Mapping will be disabled. | +| 1 | DSCP to UP Mapping will be enabled. | +| 2 (Default) | DSCP to UP Mapping will be enabled only if it is enabled in the network profile. | + + + + + + + + + +## AllowWFAQosManagementMSCS + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Wifi/AllowWFAQosManagementMSCS +``` + + + + +Allow or disallow the device to automatically request to enable Mirrored Stream Classification Service when connecting to a MSCS capable network. This is a Quality of Service feature associated with Wi-Fi Alliance QoS Management Suite 2020. This policy requires a reboot to take effect. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | The device will not automatically request to enable MSCS when connecting to a MSCS capable network. | +| 1 (Default) | The device will automatically request to enable MSCS when connecting to a MSCS capable network. | + + + + + + + + ## AllowWiFi @@ -245,7 +344,7 @@ Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. -This policy has been deprecated. +Allow or disallow WiFi connection. diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md index dfa0ed323d..11e636ca48 100644 --- a/windows/client-management/mdm/provisioning-csp.md +++ b/windows/client-management/mdm/provisioning-csp.md @@ -1,10 +1,10 @@ --- title: Provisioning CSP description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 82b9629e4d..bfc6a262c4 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -1,10 +1,10 @@ --- title: PXLOGICAL configuration service provider description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 04eabb0246..32c31c0461 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Reboot CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -194,7 +194,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 98866efffa..7771d079d3 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -170,6 +170,10 @@ The following XML file contains the device description framework (DDF) for the R + + 10.0.22621 + 1.0 + diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md index 8430142ede..2b3973921d 100644 --- a/windows/client-management/mdm/remotefind-csp.md +++ b/windows/client-management/mdm/remotefind-csp.md @@ -1,10 +1,10 @@ --- title: RemoteFind CSP description: The RemoteFind configuration service provider retrieves the location information for a particular device. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md index b0a282ba66..e805197cf2 100644 --- a/windows/client-management/mdm/remotefind-ddf-file.md +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -1,10 +1,10 @@ --- title: RemoteFind DDF file description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index 7921654d92..a6ff79d5e1 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -1,10 +1,10 @@ --- title: Reporting CSP description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md index 1681b2d8c2..71c1e4a728 100644 --- a/windows/client-management/mdm/reporting-ddf-file.md +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -1,10 +1,10 @@ --- title: Reporting DDF file description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 196eff5292..6c9fbf4445 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -1,10 +1,10 @@ --- title: SecureAssessment CSP description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md index 4225ec9c51..57f576724e 100644 --- a/windows/client-management/mdm/secureassessment-ddf-file.md +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -1,10 +1,10 @@ --- title: SecureAssessment DDF file description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 3ca90e30a3..49390c0ef7 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -1,10 +1,10 @@ --- title: SecurityPolicy CSP description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md index e1e42f6685..7593043812 100644 --- a/windows/client-management/mdm/storage-csp.md +++ b/windows/client-management/mdm/storage-csp.md @@ -1,10 +1,10 @@ --- title: Storage CSP description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index 508dfb3f66..9b582019e9 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -1,10 +1,10 @@ --- title: Storage DDF file description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 7594de5981..ddfda20a6b 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -4,7 +4,7 @@ description: Learn more about the SUPL CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -17,6 +17,7 @@ ms.topic: reference # SUPL CSP + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -395,6 +396,7 @@ This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether t + | Location toggle setting | LocMasterSwitchDependencyNII setting | NI request processing allowed | |-------------------------|--------------------------------------|------------------------------------| | On | 0 | Yes | diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md index 16e2b4acd8..5437172618 100644 --- a/windows/client-management/mdm/surfacehub-ddf-file.md +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/24/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,102 +50,6 @@ The following XML file contains the device description framework (DDF) for the S 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; - - AutopilotSelfdeploy - - - - - Node for setting Autopilot self-deployment mode device account information. This information is stored and committed by the Autopilot client during the Enrollment Status Page phase of OOBE for Surface Hub devices that are using Autopilot self-deploying mode. These values should be set only during the first sync phase of enrollment and are ignored at any other time. - - - - - - - - - - - - - - - - - - UserPrincipalName - - - - - - User principal name (UPN) of the device account. Autopilot on Surface Hub only supports Azure Active Directory, and this should specify the UPN of the device account. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - - Password - - - - - - Password for the device account. Get is allowed here, but will always return a blank. - - - - - - - - - - - - - - - - - - FriendlyName - - - - - - The device friendly name set during Autopilot self-deploying mode on Surface Hub. Get is allowed here but only returns a blank - - - - - - - - - - - - - - - - - DeviceAccount diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md index 615cdfaa7a..7c469706c0 100644 --- a/windows/client-management/mdm/tenantlockdown-csp.md +++ b/windows/client-management/mdm/tenantlockdown-csp.md @@ -2,12 +2,12 @@ title: TenantLockdown CSP description: To lock a device to a tenant to prevent accidental or intentional resets or wipes, use the TenantLockdown configuration service provider. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/13/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md index 788ba62e5c..3aa78e83a1 100644 --- a/windows/client-management/mdm/tenantlockdown-ddf.md +++ b/windows/client-management/mdm/tenantlockdown-ddf.md @@ -2,12 +2,12 @@ title: TenantLockdown DDF file description: XML file containing the device description framework for the TenantLockdown configuration service provider (CSP). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/13/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index ceee66f4b0..5486abb6d0 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -2,12 +2,12 @@ title: TPMPolicy CSP description: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero-exhaust configuration on a Windows device for TPM software components. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 11/01/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md index b4bcb92ce0..2987a036eb 100644 --- a/windows/client-management/mdm/tpmpolicy-ddf-file.md +++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md @@ -2,12 +2,12 @@ title: TPMPolicy DDF file description: Learn about the OMA DM device description framework (DDF) for the TPMPolicy configuration service provider (CSP). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 12/05/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index b6cc17127d..a818eb9880 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -2,7 +2,7 @@ title: UEFI CSP description: The Uefi CSP interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md index 89a1f72465..dde7789737 100644 --- a/windows/client-management/mdm/uefi-ddf.md +++ b/windows/client-management/mdm/uefi-ddf.md @@ -2,12 +2,12 @@ title: UEFI DDF file description: Learn about the OMA DM device description framework (DDF) for the Uefi configuration service provider (CSP). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index b4e14b056c..b35a740976 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -1,10 +1,10 @@ --- title: UnifiedWriteFilter CSP description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md index c44499af11..ffaf61bb19 100644 --- a/windows/client-management/mdm/unifiedwritefilter-ddf.md +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -1,10 +1,10 @@ --- title: UnifiedWriteFilter DDF File description: UnifiedWriteFilter DDF File -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md index c004954f59..cfaae48b05 100644 --- a/windows/client-management/mdm/universalprint-csp.md +++ b/windows/client-management/mdm/universalprint-csp.md @@ -2,7 +2,7 @@ title: UniversalPrint CSP description: Learn how the UniversalPrint configuration service provider (CSP) is used to install printers on Windows client devices. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/universalprint-ddf-file.md b/windows/client-management/mdm/universalprint-ddf-file.md index 86b77653c2..3d3fdc2426 100644 --- a/windows/client-management/mdm/universalprint-ddf-file.md +++ b/windows/client-management/mdm/universalprint-ddf-file.md @@ -2,7 +2,7 @@ title: UniversalPrint DDF file description: UniversalPrint DDF file ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index fa7376a759..9a3988642d 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -1,10 +1,10 @@ --- title: Update CSP description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md index 3e5be4786d..a1ba78b157 100644 --- a/windows/client-management/mdm/update-ddf-file.md +++ b/windows/client-management/mdm/update-ddf-file.md @@ -1,10 +1,10 @@ --- title: Update DDF file description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 0ef20477a4..4f43fb1e32 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -1,10 +1,10 @@ --- title: VPN CSP description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md index db77d0704f..f3df5126a9 100644 --- a/windows/client-management/mdm/vpn-ddf-file.md +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -1,10 +1,10 @@ --- title: VPN DDF file description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ce9204701c..84b7a6c4ec 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -4,7 +4,7 @@ description: Learn more about the VPNv2 CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -2838,7 +2838,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2876,7 +2876,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2915,7 +2915,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -2953,7 +2953,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -3003,7 +3003,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7063,7 +7063,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7101,7 +7101,7 @@ True: Plumb traffic selectors as routes onto VPN interface, False: Do not plumb | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7140,7 +7140,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7178,7 +7178,7 @@ List of inbox VPN protocols in priority order. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7228,7 +7228,7 @@ Inbox VPN protocols type. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.20207] and later | +| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.20207] and later | @@ -7893,7 +7893,7 @@ Boolean value (true or false) for caching credentials. | Scope | Editions | Applicable OS | |:--|:--|:--| -| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Unknown [10.0.19628] and later | +| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: [10.0.19628] and later | diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index dea054addd..6b33ccc664 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -1,10 +1,10 @@ --- title: w4 APPLICATION CSP description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index e58f0e5922..0c5e7f4cd5 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -1,10 +1,10 @@ --- title: w7 APPLICATION CSP description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md index c0862b854f..d76120673d 100644 --- a/windows/client-management/mdm/win32appinventory-csp.md +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -1,10 +1,10 @@ --- title: Win32AppInventory CSP description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 8825199231..413f6927a8 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -1,10 +1,10 @@ --- title: Win32AppInventory DDF file description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index 9f3d0f3181..72e4dc7e0d 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -2,12 +2,12 @@ title: Win32CompatibilityAppraiser CSP description: Learn how the Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telemetry health. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 07/19/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md index 9fec57ce5d..2412d86ade 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md @@ -2,12 +2,12 @@ title: Win32CompatibilityAppraiser DDF file description: Learn about the XML file containing the device description framework for the Win32CompatibilityAppraiser configuration service provider. ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 07/19/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index fc74d86711..ab6d3cfd03 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -1,10 +1,10 @@ --- title: WindowsAdvancedThreatProtection CSP description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md index b1cbacd77d..1e3460593d 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -2,10 +2,10 @@ title: WindowsAdvancedThreatProtection DDF file description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP). ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 34d9296f84..7a34b0a995 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -1,10 +1,10 @@ --- title: WindowsAutopilot CSP description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md index 8d6ee2e942..88313274a6 100644 --- a/windows/client-management/mdm/windowsautopilot-ddf-file.md +++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md @@ -2,12 +2,12 @@ title: WindowsAutopilot DDF file description: Learn how, without the ability to mark a device as remediation required, the device will remain in a broken state for the WindowsAutopilot DDF file configuration service provider (CSP). ms.author: vinpa -ms.topic: article +ms.topic: reference ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 02/07/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz --- diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index da4d51d70b..8c55c2fd8e 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -4,7 +4,7 @@ description: Learn more about the WindowsLicensing CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/28/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -28,12 +28,10 @@ The following list shows the WindowsLicensing configuration service provider nod - [ChangeProductKey](#changeproductkey) - [CheckApplicability](#checkapplicability) - [DeviceLicensingService](#devicelicensingservice) - - [AcquireDeviceLicense](#devicelicensingserviceacquiredevicelicense) - [DeviceLicensingLastError](#devicelicensingservicedevicelicensinglasterror) - [DeviceLicensingLastErrorDescription](#devicelicensingservicedevicelicensinglasterrordescription) - [DeviceLicensingStatus](#devicelicensingservicedevicelicensingstatus) - [LicenseType](#devicelicensingservicelicensetype) - - [RemoveDeviceLicense](#devicelicensingserviceremovedevicelicense) - [Edition](#edition) - [LicenseKeyType](#licensekeytype) - [SMode](#smode) @@ -45,6 +43,12 @@ The following list shows the WindowsLicensing configuration service provider nod - [{SubscriptionId}](#subscriptionssubscriptionid) - [Name](#subscriptionssubscriptionidname) - [Status](#subscriptionssubscriptionidstatus) + - [DisableSubscription](#subscriptionsdisablesubscription) + - [RemoveSubscription](#subscriptionsremovesubscription) + - [SubscriptionLastError](#subscriptionssubscriptionlasterror) + - [SubscriptionLastErrorDescription](#subscriptionssubscriptionlasterrordescription) + - [SubscriptionStatus](#subscriptionssubscriptionstatus) + - [SubscriptionType](#subscriptionssubscriptiontype) - [UpgradeEditionWithLicense](#upgradeeditionwithlicense) - [UpgradeEditionWithProductKey](#upgradeeditionwithproductkey) @@ -167,7 +171,8 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - + +Device Based Subscription. @@ -189,45 +194,6 @@ Returns TRUE if the entered product key can be used for an edition upgrade of Wi - -### DeviceLicensingService/AcquireDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/AcquireDeviceLicense -``` - - - - -Acquire and Refresh Device License. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ### DeviceLicensingService/DeviceLicensingLastError @@ -375,7 +341,7 @@ License Type: User Based Subscription or Device Based Subscription. | Property name | Property value | |:--|:--| | Format | int | -| Access Type | Add, Delete, Get, Replace | +| Access Type | Get, Replace | @@ -393,45 +359,6 @@ License Type: User Based Subscription or Device Based Subscription. - -### DeviceLicensingService/RemoveDeviceLicense - - -| Scope | Editions | Applicable OS | -|:--|:--|:--| -| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later | - - - -```Device -./Vendor/MSFT/WindowsLicensing/DeviceLicensingService/RemoveDeviceLicense -``` - - - - -Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - -**Description framework properties**: - -| Property name | Property value | -|:--|:--| -| Format | null | -| Access Type | Exec | - - - - - - - - ## Edition @@ -1064,6 +991,258 @@ Returns the status of the subscription. + +### Subscriptions/DisableSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/DisableSubscription +``` + + + + +Disable or Enable subscription activation on a device. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Enable Subscription. | +| 1 | Disable Subscription. It also removes any existing subscription on the device. | + + + + + + + + + +### Subscriptions/RemoveSubscription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/RemoveSubscription +``` + + + + +Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | null | +| Access Type | Exec | + + + + + + + + + +### Subscriptions/SubscriptionLastError + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastError +``` + + + + +Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionLastErrorDescription + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionLastErrorDescription +``` + + + + +Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | chr (string) | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionStatus + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionStatus +``` + + + + +Status of last subscription operation. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get | + + + + + + + + + +### Subscriptions/SubscriptionType + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later | + + + +```Device +./Vendor/MSFT/WindowsLicensing/Subscriptions/SubscriptionType +``` + + + + +Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Get, Replace | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | User Based Subscription. | +| 1 | Device Based Subscription. | + + + + + + + + ## UpgradeEditionWithLicense diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index ad27537130..b5e14bb5ec 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 05/01/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -322,6 +322,153 @@ The following XML file contains the device description framework (DDF) for the W + + SubscriptionType + + + + + + Set device to Device Based Subscription or User Based Subscription. For Device Based Subscription this action will automatically acquire the subscription on the device. For User Based Subscription the existing process of user logon will be required. + + + + + + + + + + + + + + + 0 + User Based Subscription + + + 1 + Device Based Subscription + + + + + + SubscriptionStatus + + + + + Status of last subscription operation. + + + + + + + + + + + + + + + + SubscriptionLastError + + + + + Error code of last subscription operation. Value would be empty(0) in absence of error. + + + + + + + + + + + + + + + + SubscriptionLastErrorDescription + + + + + Error description of last subscription operation. Value would be empty, if error description cannot be evaluated. + + + + + + + + + + + + + + + + DisableSubscription + + + + + Disable or Enable subscription activation on a device + + + + + + + + + + + + + + + 0 + Enable Subscription + + + 1 + Disable Subscription. It also removes any existing subscription on the device. + + + + + + RemoveSubscription + + + + + Remove subscription uninstall subscription license. It also reset subscription type to User Based Subscription. + + + + + + + + + + + + + + SMode @@ -439,7 +586,7 @@ The following XML file contains the device description framework (DDF) for the W - Insert Description Here + Device Based Subscription @@ -461,8 +608,6 @@ The following XML file contains the device description framework (DDF) for the W LicenseType - - @@ -554,48 +699,6 @@ The following XML file contains the device description framework (DDF) for the W - - AcquireDeviceLicense - - - - - Acquire and Refresh Device License. Does not reboot. - - - - - - - - - - - - - - - - RemoveDeviceLicense - - - - - Remove Device License. Device would be ready for user based license after this operation. Does not reboot. - - - - - - - - - - - - - - diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 361556d8dd..1b1fb7c688 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,6 +1,6 @@ --- title: Mobile device enrollment -description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. +description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -8,10 +8,13 @@ ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 08/11/2017 +ms.date: 04/05/2023 ms.collection: - - highpri - - tier2 +- highpri +- tier2 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Mobile device enrollment @@ -20,63 +23,53 @@ Mobile device enrollment is the first phase of enterprise management. The device The enrollment process includes the following steps: -1. Discovery of the enrollment endpoint - - This step provides the enrollment endpoint configuration settings. - -2. Certificate installation - - This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. - -3. DM Client provisioning - - This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). +1. **Discovery of the enrollment endpoint**: This step provides the enrollment endpoint configuration settings. +1. **Certificate installation**: This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. +1. **DM Client provisioning**: This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). ## Enrollment protocol -There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +There are many changes made to the enrollment protocol to better support various scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see: + +- [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f). +- [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). The enrollment process involves the following steps: ### Discovery request - The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. + +The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. ### Certificate enrollment policy -The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) + +The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in [MS-XCEP]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). + +For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) ### Certificate enrollment + The certificate enrollment is an implementation of the MS-WSTEP protocol. ### Management configuration + The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. The following topics describe the end-to-end enrollment process using various authentication methods: -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) -> [!Note] +> [!NOTE] > As a best practice, don't use hardcoded server-side checks on values such as: -> - User agent string -> - Any fixed URIs that are passed during enrollment -> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. +> +> - User agent string +> - Any fixed URIs that are passed during enrollment +> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. ## Enrollment support for domain-joined devices -Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. - -## Disable MDM enrollments - -In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. With the GP editor being used, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. - -![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) - -Here's the corresponding registry key: - -HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM - -Value: DisableRegistration +Devices that are joined to an on-premises Active Directory can enroll into MDM via **Settings** > **Access work or school**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device. ## Enrollment scenarios not supported @@ -85,6 +78,15 @@ The following scenarios don't allow MDM enrollments: - Built-in administrator accounts on Windows desktop can't enroll into MDM. - Standard users can't enroll in MDM. Only admin users can enroll. +## Disable MDM enrollments + +IT admin can disable MDM enrollments for domain-joined PCs using the **Disable MDM Enrollment** group policy. + +Group Policy Path: **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. +Corresponding registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\DisableRegistration (REG_DWORD)` + +![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png) + ## Enrollment error messages The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows: @@ -112,51 +114,19 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma ``` -**Sample error messages** +**Sample error messages**: -- **Namespace**: `s:` - - **Subcode**: MessageFormat - - **Error**: MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR - - **Description**: Invalid message from the Mobile Device Management (MDM) server. - - **HRESULT**: 80180001 +| Namespace | Subcode | Error | Description | HRESULT | +|-----------|----------------------|-------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| s: | MessageFormat | MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR | Invalid message from the Mobile Device Management (MDM) server. | 80180001 | +| s: | Authentication | MENROLL_E_DEVICE_AUTHENTICATION_ERROR | The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. | 80180002 | +| s: | Authorization | MENROLL_E_DEVICE_AUTHORIZATION_ERROR | The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. | 80180003 | +| s: | CertificateRequest | MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR | The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. | 80180004 | +| s: | EnrollmentServer | MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR | The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. | 80180005 | +| a: | InternalServiceFault | MENROLL_E_DEVICE_INTERNALSERVICE_ERROR | There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. | 80180006 | +| a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. | 80180007 | -- **Namespace**: `s:` - - **Subcode**: Authentication - - **Error**: MENROLL_E_DEVICE_AUTHENTICATION_ERROR - - **Description**: The Mobile Device Management (MDM) server failed to authenticate the user. Try again or contact your system administrator. - - **HRESULT**: 80180002 - -- **Namespace**: `s:` - - **Subcode**: Authorization - - **Error**: MENROLL_E_DEVICE_AUTHORIZATION_ERROR - - **Description**: The user isn't authorized to enroll to Mobile Device Management (MDM). Try again or contact your system administrator. - - **HRESULT**: 80180003 - -- **Namespace**: `s:` - - **Subcode**: CertificateRequest - - **Error**: MENROLL_E_DEVICE_CERTIFICATEREQUEST_ERROR - - **Description**: The user has no permission for the certificate template or the certificate authority is unreachable. Try again or contact your system administrator. - - **HRESULT**: 80180004 - -- **Namespace**: `s:` - - **Subcode**: EnrollmentServer - - **Error**: MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR - - **Description**: The Mobile Device Management (MDM) server encountered an error. Try again or contact your system administrator. - - **HRESULT**: 80180005 - -- **Namespace**: `a:` - - **Subcode**: InternalServiceFault - - **Error**: MENROLL_E_DEVICE_INTERNALSERVICE_ERROR - - **Description**: There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. - - **HRESULT**: 80180006 - -- **Namespace**: `a:` - - **Subcode**: InvalidSecurity - - **Error**: MENROLL_E_DEVICE_INVALIDSECURITY_ERROR - - **Description**: The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. - - **HRESULT**: 80180007 - -In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here's an example: +SOAP format also includes `deviceenrollmentserviceerror` element. Here's an example: ```xml @@ -188,48 +158,23 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. ``` -**Sample error messages** +**Sample error messages**: -- **Subcode**: DeviceCapReached - - **Error**: MENROLL_E_DEVICECAPREACHED - - **Description**: The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. - - **HRESULT**: 80180013 - -- **Subcode**: DeviceNotSupported - - **Error**: MENROLL_E_DEVICENOTSUPPORTED - - **Description**: The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. - - **HRESULT**: 80180014 - -- **Subcode**: NotSupported - - **Error**: MENROLL_E_NOT_SUPPORTED - - **Description**: Mobile Device Management (MDM) is generally not supported for this device. - - **HRESULT**: 80180015 - -- **Subcode**: NotEligibleToRenew - - **Error**: MENROLL_E_NOTELIGIBLETORENEW - - **Description**: The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. - - **HRESULT**: 80180016 - -- **Subcode**: InMaintenance - - **Error**: MENROLL_E_INMAINTENANCE - - **Description**: The Mobile Device Management (MDM) server states your account is in maintenance, try again later. - - **HRESULT**: 80180017 - -- **Subcode**: UserLicense - - **Error**: MENROLL_E_USER_LICENSE - - **Description**: There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. - - **HRESULT**: 80180018 - -- **Subcode**: InvalidEnrollmentData - - **Error**: MENROLL_E_ENROLLMENTDATAINVALID - - **Description**: The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. - - **HRESULT**: 80180019 +| Subcode | Error | Description | HRESULT | +|-----------------------|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| +| DeviceCapReached | MENROLL_E_DEVICECAPREACHED | The account has too many devices enrolled to Mobile Device Management (MDM). Delete or unenroll old devices to fix this error. | 80180013 | +| DeviceNotSupported | MENROLL_E_DEVICENOTSUPPORTED | The Mobile Device Management (MDM) server doesn't support this platform or version, consider upgrading your device. | 80180014 | +| NotSupported | MENROLL_E_NOT_SUPPORTED | Mobile Device Management (MDM) is generally not supported for this device. | 80180015 | +| NotEligibleToRenew | MENROLL_E_NOTELIGIBLETORENEW | The device is attempting to renew the Mobile Device Management (MDM) certificate, but the server rejected the request. Check renew schedule on the device. | 80180016 | +| InMaintenance | MENROLL_E_INMAINTENANCE | The Mobile Device Management (MDM) server states your account is in maintenance, try again later. | 80180017 | +| UserLicense | MENROLL_E_USER_LICENSE | There was an error with your Mobile Device Management (MDM) user license. Contact your system administrator. | 80180018 | +| InvalidEnrollmentData | MENROLL_E_ENROLLMENTDATAINVALID | The Mobile Device Management (MDM) server rejected the enrollment data. The server may not be configured correctly. | 80180019 | TraceID is a freeform text node that is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. ## Related topics -- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) -- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) -- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) -- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index aa0fa503b7..b1f316d46d 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -1,9 +1,6 @@ --- title: What's new in MDM enrollment and management -description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. -MS-HAID: - - 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' - - 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +description: Discover what's new and breaking changes in mobile device management (MDM) enrollment and management experience across all Windows devices. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,14 +9,17 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 09/16/2022 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # What's new in mobile device enrollment and management -This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. +This article provides information about what's new in mobile device management (MDM) enrollment and management experience across all Windows devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows, see [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What's new in MDM for Windows 11, version 22H2 @@ -28,7 +28,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [DeviceStatus](mdm/devicestatus-csp.md) | Added the following node:
  • MDMClientCertAttestation | | [eUUICs](mdm/euiccs-csp.md) | Added the following node:
  • IsDiscoveryServer | | [PersonalDataEncryption](mdm/personaldataencryption-csp.md) | New CSP | -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnabledSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnableSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | | [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:
  • Assessments | | [WindowsAutopilot](mdm/windowsautopilot-csp.md) | Added the following node:
  • HardwareMismatchRemediationData | @@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy in Windows 10, version 2004:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies in Windows 10, version 2004:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | | [DevDetail CSP](mdm/devdetail-csp.md) | Added the following new node:
  • Ext/Microsoft/DNSComputerName | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added the following node:
  • IsStub | | [SUPL CSP](mdm/supl-csp.md) | Added the following node:
  • FullVersion | @@ -71,7 +71,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [Policy CSP - Audit](mdm/policy-csp-audit.md) | Added the new Audit policy CSP. | | [ApplicationControl CSP](mdm/applicationcontrol-csp.md) | Added the new CSP. | | [Defender CSP](mdm/defender-csp.md) | Added the following new nodes:
  • Health/TamperProtectionEnabled
  • Health/IsVirtualMachine
  • Configuration
  • Configuration/TamperProtection
  • Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | +| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | | [EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md) | Added the new CSP. | | [PassportForWork CSP](mdm/passportforwork-csp.md) | Added the following new nodes:
  • SecurityKey
  • SecurityKey/UseSecurityKeyForSignin | @@ -80,7 +80,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| |[Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/LaunchAppAfterLogOn
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
  • Authentication/EnableFastFirstSignIn (Preview mode only
  • Authentication/EnableWebSignIn (Preview mode only
  • Authentication/PreferredAadTenantDomainName
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Defender/CheckForSignaturesBeforeRunningScan
  • Defender/DisableCatchupFullScan
  • Defender/DisableCatchupQuickScan
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
  • DmaGuard/DeviceEnumerationPolicy
  • Experience/AllowClipboardHistory
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • TaskManager/AllowEndTask
  • Update/DisableWUfBSafeguards
  • Update/EngagedRestartDeadlineForFeatureUpdates
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
  • Update/SetDisablePauseUXAccess
  • Update/SetDisableUXWUAccess
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
  • WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Windows 10 Pro. | +| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Pro edition. | | [Defender CSP](mdm/defender-csp.md) | Added a new node Health/ProductStatus. | | [DevDetail CSP](mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. | @@ -94,255 +94,3 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [WindowsLicensing CSP](mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. | | [Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md) | New CSP. | -## Breaking changes and known issues - -### Get command inside an atomic command isn't supported - -In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. - -### Apps installed using WMI classes are not removed - -Applications installed using WMI classes aren't removed when the MDM account is removed from device. - -### Passing CDATA in SyncML does not work - -Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. - -### SSL settings in IIS server for SCEP must be set to "Ignore" - -The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. - -![ssl settings.](images/ssl-settings.png) - -### MDM enrollment fails on the Windows device when traffic is going through proxy - -When the Windows device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that doesn't require authentication or remove the proxy setting from the connected network. - -### Server-initiated unenrollment failure - -Server-initiated unenrollment for a device enrolled by adding a work account silently fails to leave the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. - -Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. - -### Certificates causing issues with Wi-Fi and VPN - -In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. - -### Version information for Windows 11 - -The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. - -### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 - -In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. - -Enterprises deploying certificate-based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This situation can lead to issues such as: - -- The user may be prompted to select the certificate. -- The wrong certificate may get auto selected and cause an authentication failure. - -A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. - -EAP XML must be updated with relevant information for your environment. This task can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: - -- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This detail is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags, you'll find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. -- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. - -For information about EAP Settings, see . - -For information about generating an EAP XML, see [EAP configuration](mdm/eap-configuration.md). - -For more information about extended key usage, see . - -For information about adding extended key usage (EKU) to a certificate, see . - -The following list describes the prerequisites for a certificate to be used with EAP: - -- The certificate must have at least one of the following EKU (Extended Key Usage) properties: - - Client Authentication. - - As defined by RFC 5280, this property is a well-defined OID with Value 1.3.6.1.5.5.7.3.2. - - Any Purpose. - - An EKU, defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering. - - All Purpose. - - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. -- The user or the computer certificate on the client chains to a trusted root CA. -- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. -- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. -- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. - -The following XML sample explains the properties for the EAP TLS XML including certificate filtering. - -> [!NOTE] -> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. - -```xml - - - 13 - - - 0 - 0 - 0 - - - - - - - 13 - - - - - true - - - - - - - false - - - false - false - false - - - - - - ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff - - - - - - - - - - - ContostoITEKU - - 1.3.6.1.4.1.311.42.1.15 - - - - - - - - - ContostoITEKU - - - - - Example1 - - - true - - - - - - - - - - - -``` - -> [!NOTE] -> The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** - -Alternatively you can use the following procedure to create an EAP Configuration XML. - -1. Follow steps 1 through 7 in [EAP configuration](mdm/eap-configuration.md). - -2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.). - - :::image type="content" alt-text="vpn selfhost properties window." source="images/certfiltering1.png"::: - - > [!NOTE] - > For PEAP or TTLS, select the appropriate method and continue following this procedure. - -3. Click the **Properties** button underneath the drop-down menu. - -4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. - - :::image type="content" alt-text="smart card or other certificate properties window." source="images/certfiltering2.png"::: - -5. In the **Configure Certificate Selection** menu, adjust the filters as needed. - - :::image type="content" alt-text="configure certificate selection window." source="images/certfiltering3.png"::: - -6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. - -7. Close the rasphone dialog box. - -8. Continue following the procedure in [EAP configuration](mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering. - -> [!NOTE] -> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)). - -### MDM client will immediately check in with the MDM server after client renews WNS channel URI - -After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. - -### User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices - -In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. - -### Requirements to note for VPN certificates also used for Kerberos Authentication - -If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. - -### Device management agent for the push-button reset is not working - -The DM agent for [push-button reset](/windows-hardware/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. - -## Frequently Asked Questions - -### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11? - -No. Only one MDM is allowed. - -### How do I set the maximum number of Azure Active Directory-joined devices per user? - -1. Sign in to the portal as tenant admin: https://portal.azure.com. -2. Select Active Directory on the left pane. -3. Choose your tenant. -4. Select **Configure**. -5. Set quota to unlimited. - - :::image type="content" alt-text="aad maximum joined devices." source="images/faq-max-devices.png"::: - -### What is dmwappushsvc? - -Entry | Description ---------------- | -------------------- -What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | -What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry.| -How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail.| diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md deleted file mode 100644 index 0adc1b4483..0000000000 --- a/windows/client-management/new-policies-for-windows-10.md +++ /dev/null @@ -1,517 +0,0 @@ ---- -title: New policies for Windows 10 (Windows 10) -description: Learn how Windows 10 includes new policies for management, like Group Policy settings for the Windows system and components. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.prod: windows-client -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 09/15/2021 -ms.topic: reference -ms.technology: itpro-manage ---- - -# New policies for Windows 10 - - -**Applies to** - -- Windows 10 -- Windows 11 - -As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference". - -For example, searching for "Windows 2004" + "Group Policy Settings Reference Spreadsheet" in a web browser will return to you the link to download the Group Policy Settings Reference Spreadsheet for Windows 2004. - -The latest [group policy reference for Windows 10 version 2004 is available here](https://www.microsoft.com/download/101451). - -## New Group Policy settings in Windows 10, version 1903 - -The following Group Policy settings were added in Windows 10, version 1903: - -**System** - -- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options -- System\Storage Sense\Allow Storage Sense -- System\Storage Sense\Allow Storage Sense Temporary Files cleanup -- System\Storage Sense\Configure Storage Sense -- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold -- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold -- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold -- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems - - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps activate with voice -- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked -- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline -- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics -- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics -- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds) -- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds) -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections -- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot - -## New Group Policy settings in Windows 10, version 1809 - -The following Group Policy settings were added in Windows 10, version 1809: - -**Start Menu and Taskbar** - -- Start Menu and Taskbar\Force Start to be either full screen size or menu size -- Start Menu and Taskbar\Remove "Recently added" list from Start Menu -- Start Menu and Taskbar\Remove All Programs list from the Start menu -- Start Menu and Taskbar\Remove frequent programs list from the Start Menu - -**System** - -- System\Group Policy\Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services -- System\Group Policy\Configure Applications preference extension policy processing -- System\Group Policy\Configure Data Sources preference extension policy processing -- System\Group Policy\Configure Devices preference extension policy processing -- System\Group Policy\Configure Drive Maps preference extension policy processing -- System\Group Policy\Configure Environment preference extension policy processing -- System\Group Policy\Configure Files preference extension policy processing -- System\Group Policy\Configure Folder Options preference extension policy processing -- System\Group Policy\Configure Folders preference extension policy processing -- System\Group Policy\Configure Ini Files preference extension policy processing -- System\Group Policy\Configure Internet Settings preference extension policy processing -- System\Group Policy\Configure Local Users and Groups preference extension policy processing -- System\Group Policy\Configure Network Options preference extension policy processing -- System\Group Policy\Configure Network Shares preference extension policy processing -- System\Group Policy\Configure Power Options preference extension policy processing -- System\Group Policy\Configure Printers preference extension policy processing -- System\Group Policy\Configure Regional Options preference extension policy processing -- System\Group Policy\Configure Registry preference extension policy processing -- System\Group Policy\Configure Scheduled Tasks preference extension policy processing -- System\Group Policy\Configure Services preference extension policy processing -- System\Group Policy\Configure Shortcuts preference extension policy processing -- System\Group Policy\Configure Start Menu preference extension policy processing -- System\Group Policy\Logging and tracing\Configure Applications preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Data Sources preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Devices preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Drive Maps preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Environment preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Files preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Folder Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Folders preference logging and tracing -- System\Group Policy\Logging and tracing\Configure INI Files preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Internet Settings preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Local Users and Groups preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Network Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Network Shares preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Power Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Printers preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Regional Options preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Registry preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Scheduled Tasks preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Services preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Shortcuts preference logging and tracing -- System\Group Policy\Logging and tracing\Configure Start Menu preference logging and tracing -- System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection -- System\OS Policies\Allow Clipboard History -- System\OS Policies\Allow Clipboard synchronization across devices - -**Windows Components** - -- Windows Components\Data Collection and Preview Builds\Configure Microsoft 365 Update Readiness upload endpoint -- Windows Components\Data Collection and Preview Builds\Disable deleting diagnostic data -- Windows Components\Data Collection and Preview Builds\Disable diagnostic data viewer -- Windows Components\Delivery Optimization\[Reserved for future use] Cache Server Hostname -- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\DFS Management -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\File Server Resource Manager -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Share and Storage Management -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Storage Manager for SANs -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\DFS Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Disk Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\File Server Resource Manager Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Share and Storage Management Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension snap-ins\Storage Manager for SANS Extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Management Editor -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Group Policy Starter GPO Editor -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Application snap-ins -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Applications preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Computers) -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Control Panel Settings (Users) -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Data Sources preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Devices preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Drive Maps preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Environment preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Files preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folder Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Folders preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Ini Files preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Internet Settings preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Local Users and Groups preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Network Shares preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Power Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Preferences tab -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Printers preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Regional Options preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Registry preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Scheduled Tasks preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Services preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Shortcuts preference extension -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Preference snap-in extensions\Permit use of Start Menu preference extension -- Windows Components\OOBE\Don't launch privacy settings experience on user logon -- Windows Components\OOBE\Don't launch privacy settings experience on user logon -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Do not use Remote Desktop Session Host server IP address when virtual IP address is not available -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Select the network adapter to be used for Remote Desktop IP Virtualization -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn off Windows Installer RDS Compatibility -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility\Turn on Remote Desktop IP Virtualization -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow remote start of unlisted programs -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Turn off Fair Share CPU Scheduling -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Allow time zone redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow Clipboard redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection\Redirect only the default client printer -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker\Use RD Connection Broker load balancing -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Allow desktop composition for remote desktop sessions -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Always show desktop on connection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Do not allow font smoothing -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remove remote desktop wallpaper -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\Set time limit for logoff of RemoteApp sessions -- Windows Components\Microsoft Defender Antivirus\Configure detection for potentially unwanted applications -- Windows Components\Microsoft Defender Antivirus\Scan\Configure low CPU priority for scheduled scans -- Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device -- Windows Components\Windows Defender Application Guard\Configure additional sources for untrusted files in Windows Defender Application Guard -- Windows Components\Windows Hello for Business\Use Windows Hello for Business certificates as smart card certificates -- Windows Components\Windows Media Player\Do Not Show First Use Dialog Boxes -- Windows Components\Windows Media Player\Prevent Automatic Updates -- Windows Components\Windows Media Player\Prevent CD and DVD Media Information Retrieval -- Windows Components\Windows Media Player\Prevent Desktop Shortcut Creation -- Windows Components\Windows Media Player\Prevent Media Sharing -- Windows Components\Windows Media Player\Prevent Music File Media Information Retrieval -- Windows Components\Windows Media Player\Prevent Quick Launch Toolbar Shortcut Creation -- Windows Components\Windows Media Player\Prevent Radio Station Preset Retrieval -- Windows Components\Windows Media Player\Prevent Video Smoothing -- Windows Components\Windows Media Player\Networking\Configure HTTP Proxy -- Windows Components\Windows Media Player\Networking\Configure MMS Proxy -- Windows Components\Windows Media Player\Networking\Configure Network Buffering -- Windows Components\Windows Media Player\Networking\Configure RTSP Proxy -- Windows Components\Windows Media Player\Networking\Hide Network Tab -- Windows Components\Windows Media Player\Networking\Streaming Media Protocols -- Windows Components\Windows Media Player\Playback\Allow Screen Saver -- Windows Components\Windows Media Player\Playback\Prevent Codec Download -- Windows Components\Windows Media Player\User Interface\Do Not Show Anchor -- Windows Components\Windows Media Player\User Interface\Hide Privacy Tab -- Windows Components\Windows Media Player\User Interface\Hide Security Tab -- Windows Components\Windows Media Player\User Interface\Set and Lock Skin -- Windows Components\Windows Security\Account protection\Hide the Account protection area -- Windows Components\Windows Security\App and browser protection\Hide the App and browser protection area -- Windows Components\Windows Security\App and browser protection\Prevent users from modifying settings -- Windows Components\Windows Security\Device performance and health\Hide the Device performance and health area -- Windows Components\Windows Security\Device security\Disable the Clear TPM button -- Windows Components\Windows Security\Device security\Hide the Device security area -- Windows Components\Windows Security\Device security\Hide the Secure boot area -- Windows Components\Windows Security\Device security\Hide the Security processor (TPM) troubleshooter page -- Windows Components\Windows Security\Device security\Hide the TPM Firmware Update recommendation -- Windows Components\Windows Security\Enterprise Customization\Configure customized contact information -- Windows Components\Windows Security\Enterprise Customization\Configure customized notifications -- Windows Components\Windows Security\Enterprise Customization\Specify contact company name -- Windows Components\Windows Security\Enterprise Customization\Specify contact email address or Email ID -- Windows Components\Windows Security\Enterprise Customization\Specify contact phone number or Skype ID -- Windows Components\Windows Security\Enterprise Customization\Specify contact website -- Windows Components\Windows Security\Family options\Hide the Family options area -- Windows Components\Windows Security\Firewall and network protection\Hide the Firewall and network protection area -- Windows Components\Windows Security\Notifications\Hide all notifications -- Windows Components\Windows Security\Notifications\Hide non-critical notifications -- Windows Components\Windows Security\Systray\Hide Windows Security Systray -- Windows Components\Windows Security\Virus and threat protection\Hide the Ransomware data recovery area -- Windows Components\Windows Security\Virus and threat protection\Hide the Virus and threat protection area -- Windows Components\Windows Update\Display options for update notifications -- Windows Components\Windows Update\Remove access to "Pause updates" feature - -**Control Panel** - -- Control Panel\Settings Page Visibility -- Control Panel\Regional and Language Options\Allow users to enable online speech recognition services - -**Network** - -- Network\Windows Connection Manager\Enable Windows to soft-disconnect a computer from a network - - -## New Group Policy settings in Windows 10, version 1803 - -The following Group Policy settings were added in Windows 10, version 1803: - -**System** - -- System\Credentials Delegation\Encryption Oracle Remediation -- System\Group Policy\Phone-PC linking on this device -- System\OS Policies\Allow upload of User Activities - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps access an eye tracker device -- Windows Components\Cloud Content\Turn off Windows Spotlight on Settings -- Windows Components\Data Collection and Preview Builds\Allow device name to be sent in Windows diagnostic data -- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface -- Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in change notifications -- Windows Components\Delivery Optimization\Maximum Background Download Bandwidth (percentage) -- Windows Components\Delivery Optimization\Maximum Foreground Download Bandwidth (percentage) -- Windows Components\Delivery Optimization\Select the source of Group IDs -- Windows Components\Delivery Optimization\Delay background download from http (in secs) -- Windows Components\Delivery Optimization\Delay Foreground download from http (in secs) -- Windows Components\Delivery Optimization\Select a method to restrict Peer Selection -- Windows Components\Delivery Optimization\Set Business Hours to Limit Background Download Bandwidth -- Windows Components\Delivery Optimization\Set Business Hours to Limit Foreground Download Bandwidth -- Windows Components\IME\Turn on Live Sticker -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection\Do not allow video capture redirection -- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use hardware graphics adapters for all Remote Desktop Services sessions -- Windows Components\Search\Allow Cortana Page in OOBE on an Azure Active Directory account -- Windows Components\Store\Disable all apps from Microsoft Store -- Windows Components\Text Input\Allow Uninstallation of Language Features -- Windows Components\Text Input\Improve inking and typing recognition -- Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard -- Windows Components\Windows Defender Security Center\Account protection\Hide the Account protection area -- Windows Components\Windows Defender Security Center\Device security\Hide the Device security area -- Windows Components\Windows Defender Security Center\Device security\Hide the Security processor (TPM) troubleshooter page -- Windows Components\Windows Defender Security Center\Device security\Hide the Secure boot area -- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Ransomware data recovery area - - -## New Group Policy settings in Windows 10, version 1709 - -The following Group Policy settings were added in Windows 10, version 1709: - -**Control Panel** - -- Control Panel\Allow Online Tips - -**Network** - -- Network\Network Connectivity Status Indicator\Specify global DNS -- Network\WWAN Service\WWAN UI Settings\Set Per-App Cellular Access UI Visibility -- Network\WWAN Service\Cellular Data Access\Let Windows apps access cellular data - -**System** - -- System\Device Health Attestation Service\Enable Device Health Attestation Monitoring and Reporting -- System\OS Policies\Enables Activity Feed -- System\OS Policies\Allow publishing of User Activities -- System\Power Management\Power Throttling Settings\Turn off Power Throttling -- System\Storage Health\Allow downloading updates to the Disk Failure Prediction Model -- System\Trusted Platform Module Services\Configure the system to clear the TPM if it is not in a ready state. - -**Windows Components** - -- Windows Components\App Privacy\Let Windows apps communicate with unpaired devices -- Windows Components\Data Collection and Preview Builds\Limit Enhanced diagnostic data to the minimum required by Windows Analytics -- Windows Components\Handwriting\Handwriting Panel Default Mode Docked -- Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing\Hide the button (next to the New Tab button) that opens Microsoft Edge -- Windows Components\MDM\Auto MDM Enrollment with Azure Active Directory Token -- Windows Components\Messaging\Allow Message Service Cloud Sync -- Windows Components\Microsoft Edge\Always show the Books Library in Microsoft Edge -- Windows Components\Microsoft Edge\Provision Favorites -- Windows Components\Microsoft Edge\Prevent changes to Favorites on Microsoft Edge -- Windows Components\Microsoft FIDO Authentication\Enable usage of FIDO devices to sign on -- Windows Components\OneDrive\Prevent OneDrive from generating network traffic until the user signs in to OneDrive -- Windows Components\Push To Install\Turn off Push To Install service -- Windows Components\Search\Allow Cloud Search -- Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard -- Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Network Protection\Prevent users and apps from accessing dangerous websites -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure Controlled folder access -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Configure Attack Surface Reduction rules -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Attack Surface Reduction\Exclude files and paths from Attack Surface Reduction Rules -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure allowed applications -- Windows Components\Microsoft Defender Antivirus\Windows Defender Exploit Guard\Controlled Folder Access\Configure protected folders -- Windows Components\Windows Defender Exploit Guard\Exploit Protection\Use a common set of exploit protection settings -- Windows Components\Windows Defender Security Center\Virus and threat protection\Hide the Virus and threat protection area -- Windows Components\Windows Defender Security Center\Firewall and network protection\Hide the Firewall and network protection area -- Windows Components\Windows Defender Security Center\App and browser protection\Hide the App and browser protection area -- Windows Components\Windows Defender Security Center\App and browser protection\Prevent users from modifying settings -- Windows Components\Windows Defender Security Center\Device performance and health\Hide the Device performance and health area -- Windows Components\Windows Defender Security Center\Family options\Hide the Family options area -- Windows Components\Windows Defender Security Center\Notifications\Hide all notifications -- Windows Components\Windows Defender Security Center\Notifications\Hide non-critical notifications -- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized notifications -- Windows Components\Windows Defender Security Center\Enterprise Customization\Configure customized contact information -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact company name -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact phone number or Skype ID -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact email address or Email ID -- Windows Components\Windows Defender Security Center\Enterprise Customization\Specify contact website -- Windows Components\Windows Hello for Business\Configure device unlock factors -- Windows Components\Windows Hello for Business\Configure dynamic lock factors -- Windows Components\Windows Hello for Business\Turn off smart card emulation -- Windows Components\Windows Hello for Business\Allow enumeration of emulated smart card for all users -- Windows Components\Windows Update\Allow updates to be downloaded automatically over metered connections -- Windows Components\Windows Update\Do not allow update deferral policies to cause scans against Windows Update - - -## New Group Policy settings in Windows 10, version 1703 - -The following Group Policy settings were added in Windows 10, version 1703: - -**Control Panel** - -- Control Panel\Add or Remove Programs\Specify default category for Add New Programs -- Control Panel\Add or Remove Programs\Hide the "Add a program from CD-ROM or floppy disk" option -- Control Panel\Personalization\Prevent changing lock screen and logon image - -**Network** - -- Network\Background Intelligent Transfer Service (BITS)\Limit the maximum network bandwidth for BITS background transfers -- Network\Background Intelligent Transfer Service (BITS)\Allow BITS Peercaching -- Network\Background Intelligent Transfer Service (BITS)\Limit the age of files in the BITS Peercache -- Network\Background Intelligent Transfer Service (BITS)\Limit the BITS Peercache size -- Network\DNS Client\Allow NetBT queries for fully qualified domain names -- Network\Network Connections\Prohibit access to properties of components of a LAN connection -- Network\Network Connections\Ability to Enable/Disable a LAN connection -- Network\Offline Files\Turn on economical application of administratively assigned Offline Files -- Network\Offline Files\Configure slow-link mode -- Network\Offline Files\Enable Transparent Caching -- Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds\Set the Seed Server -- Network\Microsoft Peer-to-Peer Networking Services\Disable password strength validation for Peer Grouping - -**System** - -- System\App-V\Streaming\Location Provider -- System\App-V\Streaming\Certificate Filter For Client SSL -- System\Credentials Delegation\Allow delegating default credentials with NTLM-only server authentication -- System\Ctrl+Alt+Del Options\Remove Change Password -- System\Ctrl+Alt+Del Options\Remove Lock Computer -- System\Ctrl+Alt+Del Options\Remove Task Manager -- System\Ctrl+Alt+Del Options\Remove Logoff -- System\Device Installation\Do not send a Windows error report when a generic driver is installed on a device -- System\Device Installation\Prevent Windows from sending an error report when a device driver requests additional software during installation -- System\Locale Services\Disallow user override of locale settings -- System\Logon\Do not process the legacy run list -- System\Logon\Always use custom logon background -- System\Logon\Do not display network selection UI -- System\Logon\Block user from showing account details on sign-in -- System\Logon\Turn off app notifications on the lock screen -- System\User Profiles\Establish timeout value for dialog boxes -- System\Enable Windows NTP Server\Windows Time Service\Enable Windows NTP Client - -**Windows Components** - -- Windows Components\ActiveX Installer Service\Approved Installation Sites for ActiveX Controls -- Windows Components\ActiveX Installer Service\Establish ActiveX installation policy for sites in Trusted zones -- Windows Components\Application Compatibility\Turn off Application Compatibility Engine -- Windows Components\Application Compatibility\Turn off Program Compatibility Assistant -- Windows Components\Application Compatibility\Turn off Steps Recorder -- Windows Components\Attachment Manager\Notify antivirus programs when opening attachments -- Windows Components\Biometrics\Allow the use of biometrics -- Windows Components\NetMeeting\Disable Whiteboard -- Windows Components\Data Collection and Preview Builds\Configure the Commercial ID -- Windows Components\File Explorer\Display the menu bar in File Explorer -- Windows Components\File History\Turn off File History -- Windows Components\Internet Explorer\Internet Control Panel\Advanced Page\Play animations in web pages -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Turn on Cross-Site Scripting Filter -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone\Turn on Cross-Site Scripting Filter -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Run ActiveX controls and plugins -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone\Script ActiveX controls marked safe for scripting -- Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy -- Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode -- Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider -- Windows Components\Microsoft Account\Block all consumer Microsoft account user authentication -- Windows Components\Microsoft Edge\Configure Autofill -- Windows Components\Microsoft Edge\Allow Developer Tools -- Windows Components\Microsoft Edge\Configure Do Not Track -- Windows Components\Microsoft Edge\Allow InPrivate browsing -- Windows Components\Microsoft Edge\Configure Password Manager -- Windows Components\Microsoft Edge\Configure Pop-up Blocker -- Windows Components\Microsoft Edge\Allow search engine customization -- Windows Components\Microsoft Edge\Configure search suggestions in Address bar -- Windows Components\Microsoft Edge\Set default search engine -- Windows Components\Microsoft Edge\Configure additional search engines -- Windows Components\Microsoft Edge\Configure the Enterprise Mode Site List -- Windows Components\Microsoft Edge\Prevent using Localhost IP address for WebRTC -- Windows Components\Microsoft Edge\Configure Start pages -- Windows Components\Microsoft Edge\Disable lockdown of Start pages -- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites -- Windows Components\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files -- Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\.Net Framework Configuration -- Windows Components\Windows Installer\Prohibit use of Restart Manager -- Windows Components\Desktop Gadgets\Restrict unpacking and installation of gadgets that are not digitally signed. -- Windows Components\Desktop Gadgets\Turn Off user-installed desktop gadgets -- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage -- Windows Components\OneDrive\Prevent the usage of OneDrive for file storage on Windows 8.1 -- Windows Components\OneDrive\Prevent OneDrive files from syncing over metered connections -- Windows Components\OneDrive\Save documents to OneDrive by default -- Windows Components\Smart Card\Allow certificates with no extended key usage certificate attribute -- Windows Components\Smart Card\Turn on certificate propagation from smart card -- Windows Components\Tablet PC\Pen UX Behaviors\Prevent flicks -- Windows Components\BitLocker Drive Encryption\Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) -- Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring -- Windows Components\Microsoft Defender Antivirus\Signature Updates\Define file shares for downloading definition updates -- Windows Components\Microsoft Defender Antivirus\Signature Updates\Turn on scan after signature update -- Windows Components\File Explorer\Display confirmation dialog when deleting files -- Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone\Allow OpenSearch queries in File Explorer -- Windows Components\Windows Update\Remove access to use all Windows Update features -- Windows Components\Windows Update\Configure Automatic Updates -- Windows Components\Windows Update\Specify intranet Microsoft update service location -- Windows Components\Windows Update\Automatic Updates detection frequency -- Windows Components\Windows Update\Allow non-administrators to receive update notifications -- Windows Components\Windows Update\Allow Automatic Updates immediate installation -- Windows Components\Windows Update\Turn on recommended updates via Automatic Updates -- Windows Components\Shutdown Options\Turn off legacy remote shutdown interface - - -For a spreadsheet of Group Policy settings included in Windows 10 and Windows Server 2016, see [Group Policy Settings Reference for Windows and Windows Server](https://go.microsoft.com/fwlink/p/?LinkId=613627). - -## New MDM policies - -Mobile device management (MDM) for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education include previous Windows Phone settings, and new or enhanced settings for Windows 10, such as: - -- Defender (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education only) - -- Enhanced Bluetooth policies - -- Passport and Hello - -- Device update - -- Hardware-based device health attestation - -- [Kiosk mode](/windows/configuration/set-up-a-device-for-anyone-to-use), start screen, start menu layout - -- Security - -- [VPN](/windows/security/identity-protection/vpn/vpn-profile-options) and enterprise Wi-Fi management - -- Certificate management - -- Windows Tips - -- Consumer experiences, such as suggested apps in Start and app tiles from Microsoft dynamically inserted in the default Start menu - -Windows 10, version 1703, adds a number of [ADMX-backed policies to MDM](./mdm/policy-configuration-service-provider.md). - -If you use Microsoft Intune for MDM, you can [configure custom policies](/mem/intune/configuration/custom-settings-configure) to deploy Open Mobile Alliance Uniform Resource Identifier (OMA-URI) settings that can be used to control features on Windows 10. For a list of OMA-URI settings, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10). - -No new [Exchange ActiveSync policies](/exchange/mobile-device-mailbox-policies-exchange-2013-help). For more information, see the [ActiveSync configuration service provider](./mdm/activesync-csp.md) technical reference. - -## Related topics - -[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946) - -[Manage corporate devices](manage-corporate-devices.md) - -[Changes to Group Policy settings for Start in Windows 10](/windows/configuration/changes-to-start-policies-in-windows-10) diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index d87cd9db0c..521d15c082 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,7 +1,7 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,9 +9,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # OMA DM protocol support The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/OMA-TS-DM_Protocol-V1_2-20070209-A.pdf). @@ -30,10 +32,8 @@ The following table shows the OMA DM standards that Windows uses. |Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "." can be part of the node name.
  • The node name can't be empty.
  • The node name can't be only the asterisk (`*`) character.| |Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).

    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.| -|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| +|Handling of large objects|In Windows 10, client support for uploading large objects to the server was added.| - - ## OMA DM protocol common elements Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). @@ -51,7 +51,7 @@ Common elements are used by other OMA DM element types. The following table list |MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.| -|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
    | +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes.
    | |Source|Specifies the message source address.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| @@ -68,26 +68,27 @@ A short DM session can be summarized as: A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. A DM session can be divided into two phases: -1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. -2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. + +1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. +1. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase 2 ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. The following information shows the sequence of events during a typical DM session. -1. DM client is invoked to call back to the management server

    Enterprise scenario – The device task schedule invokes the DM client. +1. DM client is invoked to call back to the management server

    Enterprise scenario - The device task schedule invokes the DM client. The MO server sends a server trigger message to invoke the DM client. The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

    Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. -2. The device sends a message, over an IP connection, to initiate the session. +1. The device sends a message, over an IP connection, to initiate the session. This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. -3. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. +1. The DM server responds, over an IP connection (HTTPS). The server sends initial device management commands, if any. -4. The device responds to server management commands. This message includes the results of performing the specified device management operations. +1. The device responds to server management commands. This message includes the results of performing the specified device management operations. -5. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. +1. The DM server terminates the session or sends another command. The DM session ends, or Step 4 is repeated. The step numbers don't represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each extra message. For more information about MsgID and OMA SyncML protocol, see [OMA Device Management Representation Protocol (DM_RepPro-V1_2-20070209-A)](https://www.openmobilealliance.org/release/DM/V1_2-20070209-A/). @@ -97,7 +98,6 @@ If a request includes credentials and the response code to the request is 200, t For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM_Security-V1_2_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM_Protocol-V1_2_1-20080617-A), available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/). - ## User targeted vs. Device targeted configuration For CSPs and policies that support per user configuration, the MDM server can send user targeted setting values to the device that a MDM-enrolled user is actively logged into. The device notifies the server of the sign-in status via a device alert (1224) with Alert type = in DM pkg\#1. @@ -130,8 +130,6 @@ The following LocURL shows a per user CSP node configuration: `./user/vendor/MSF The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe` - - ## SyncML response status codes When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index daf5a628d7..8e72627af0 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -1,65 +1,61 @@ --- title: On-premises authentication device enrollment description: This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # On-premises authentication device enrollment -This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). -## In this topic - -- [On-premises authentication device enrollment](#on-premises-authentication-device-enrollment) - - [In this topic](#in-this-topic) - - [Discovery service](#discovery-service) - - [Enrollment policy web service](#enrollment-policy-web-service) - - [Enrollment web service](#enrollment-web-service) - -For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> [!NOTE] +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). > [!NOTE] -> The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. +> The administrator of the discovery service must create a host with the address `enterpriseenrollment..com`. -The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain **enterpriseenrollment** to the domain of the email address, and by appending the path `/EnrollmentServer/Discovery.svc`. For example, if the email address is `sample@contoso.com`, the resulting URI for first Get request would be: `http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc`. The first request is a standard HTTP GET request. The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: unknown Header Byte Count: 153 Body Byte Count: 0 ``` -``` +```http GET /EnrollmentServer/Discovery.svc HTTP/1.1 User-Agent: Windows Phone 8 Enrollment Client Host: EnterpriseEnrollment.contoso.com Pragma: no-cache ``` -``` +```http Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc Content Type: text/html Header Byte Count: 248 Body Byte Count: 0 ``` -``` +```http HTTP/1.1 200 OK Connection: Keep-Alive Pragma: no-cache @@ -68,18 +64,18 @@ Content-Type: text/html Content-Length: 0 ``` -After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. +After the device gets a response from the server, the device sends a POST request to `enterpriseenrollment./EnrollmentServer/Discovery.svc`. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to `enterpriseenrollment.` enrollment server. The following logic is applied: -1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. -2. If that fails, the device tries HTTP to see whether it is redirected: - - If the device is not redirected, it prompts the user for the server address. - - If the device is redirected, it prompts the user to allow the redirect. +1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. +1. If that fails, the device tries HTTP to see whether it is redirected: + - If the device is not redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address: -``` +```http https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc ``` @@ -124,9 +120,9 @@ If a domain and user name are provided by the user instead of an email address, The discovery response is in the XML format and includes the following fields: -- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. -- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. -- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. +- Enrollment service URL (EnrollmentServiceUrl) - Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) - Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. > [!NOTE] > The HTTP server response must not be chunked; it must be sent as one message. @@ -171,42 +167,42 @@ For the OnPremise authentication policy, the UsernameToken in GetPolicies contai The following example shows the policy web service request. ```xml - - - - http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies - - urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 - - http://www.w3.org/2005/08/addressing/anonymous - - - https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC - - - - user@contoso.com - mypassword - - - - - - - - - - - - - + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + user@contoso.com + mypassword + + + + + + + + + + + + + ``` After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. @@ -301,7 +297,7 @@ This web service implements the MS-WSTEP protocol. It processes the RequestSecur The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. -The RequestSecurityToken will use a custom TokenType (http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. +The RequestSecurityToken will use a custom TokenType (`http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken`), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. @@ -311,11 +307,11 @@ The RST may also specify a number of AdditionalContext items, such as DeviceType The following example shows the enrollment web service request for OnPremise authentication. ```xml - @@ -344,8 +340,8 @@ The following example shows the enrollment web service request for OnPremise aut http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue - DER format PKCS#10 certificate request in Base64 encoding Insterted Here @@ -383,7 +379,6 @@ The following example shows the enrollment web service request for OnPremise aut 7BA748C8-703E-4DF2-A74A-92984117346A - True @@ -396,8 +391,8 @@ The following example shows the enrollment web service request for OnPremise aut The following example shows the enrollment web service response. ```xml - @@ -413,14 +408,15 @@ The following example shows the enrollment web service response. - http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken - - + + B64EncodedSampleBinarySecurityToken - + 0 @@ -440,7 +436,7 @@ The following example shows the enrollment web service response. The following example shows the encoded provisioning XML. -``` +```xml @@ -452,17 +448,17 @@ The following example shows the encoded provisioning XML. - + - - + + - + @@ -505,7 +501,7 @@ The following example shows the encoded provisioning XML. - + @@ -513,7 +509,7 @@ The following example shows the encoded provisioning XML. - ``` diff --git a/windows/client-management/push-notification-windows-mdm.md b/windows/client-management/push-notification-windows-mdm.md index 712795c303..b1094d670f 100644 --- a/windows/client-management/push-notification-windows-mdm.md +++ b/windows/client-management/push-notification-windows-mdm.md @@ -1,84 +1,58 @@ --- title: Push notification support for device management description: The DMClient CSP supports the ability to configure push-initiated device management sessions. -MS-HAID: - - 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' - - 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 09/22/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- - # Push notification support for device management -The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). +The [DMClient CSP](mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/windows/apps/design/shell/tiles-and-notifications/windows-push-notification-services--wns--overview), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device. For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). -Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](/previous-versions/windows/apps/jj676791(v=win.10)). +Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview](/windows/apps/design/shell/tiles-and-notifications/raw-notification-overview). The following restrictions are related to push notifications and WNS: -- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. -- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. -- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. -- Push isn't a replacement for having a polling schedule. -- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. -- On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. +- Push for device management uses raw push notifications. This restriction means that these raw push notifications don't support or utilize push notification payloads. +- Receipt of push notifications is sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It's strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server won't attempt to use a ChannelURI that has expired. +- Push isn't a replacement for having a polling schedule. +- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. - To work around this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. +- In Windows 10, version 1511, we use the following retry logic for the DMClient: -- On Windows 10, version 1511, we use the following retry logic for the DMClient: - - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. - - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. - - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. - - -- On Windows 10, version 1607, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. + - If ExpiryTime is greater than 15 days, a schedule is set for when 15 days are left. + - If ExpiryTime is between now and 15 days, a schedule set for 4 +/- 1 hours from now. + - If ExpiryTime has passed, a schedule is set for 1 day +/- 4 hours from now. +- In Windows 10, version 1607 and later, we check for network connectivity before retrying. We don't check for internet connectivity. If network connectivity isn't available, we'll skip the retry and set schedule for 4+/-1 hours to try again. ## Get WNS credentials and PFN for MDM push notification To get a PFN and WNS credentials, you must create a Microsoft Store app. -1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. +1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. +1. Select **Apps and games** under Workspaces. Create a **New product** and select **MSIX or PWA app**. +1. Reserve an app name. +1. Select **Product Identity** under Product Management to view the **Package Family Name (PFN)** of your app. +1. Select **WNS/MPNS** under Product Management. + 1. Click the **App Registration portal** link. A new window opens showing your app in the Azure Portal. + 1. In the Application Registration Portal page, you'll see the properties for the app that you created, such as: + - Application ID + - Application Secrets + - Redirect URIs - ![mdm push notification1.](images/push-notification1.png) -2. Create a new app. - - ![mdm push notification2.](images/push-notification2.png) -3. Reserve an app name. - - ![mdm push notification3.](images/push-notification3.png) -4. Click **Services**. - - ![mdm push notification4.](images/push-notification4.png) -5. Click **Push notifications**. - - ![mdm push notification5.](images/push-notification5.png) -6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. - - ![mdm push notification6.](images/push-notification6.png) -7. In the **Application Registration Portal** page, you'll see the properties for the app that you created, such as: - - Application ID - - Application Secrets - - Microsoft Store Package SID, Application Identity, and Publisher. - - ![mdm push notification7.](images/push-notification7.png) -8. Click **Save**. -9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. -10. Select your app from the list on the left. -11. From the left nav, expand **App management** and then click **App identity**. - - ![mdm push notification10.](images/push-notification10.png) -12. In the **App identity** page, you'll see the **Package Family Name (PFN)** of your app. - -  +For more information see, [Tutorial: Send notifications to Universal Windows Platform apps using Azure Notification Hubs](/azure/notification-hubs/notification-hubs-windows-store-dotnet-get-started-wns-push-notification). diff --git a/windows/client-management/register-your-free-azure-active-directory-subscription.md b/windows/client-management/register-your-free-azure-active-directory-subscription.md deleted file mode 100644 index 2d326ac269..0000000000 --- a/windows/client-management/register-your-free-azure-active-directory-subscription.md +++ /dev/null @@ -1,43 +0,0 @@ ---- -title: Register your free Azure Active Directory subscription -description: Paid subscribers to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, have a free subscription to Azure AD. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 ---- - -# Register your free Azure Active Directory subscription - -If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. - -> **Note**  If you don't have any Microsoft service that comes with a free Azure AD subscription, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. - -  -## Register your free Azure Active Directory subscription - -1. Sign in to the Microsoft 365 admin center at using your organization's account. - - ![screen to register azure-ad](images/azure-ad-add-tenant10.png) - -2. On the **Home** page, click on the Admin tools icon. - - ![screen for registering azure-ad](images/azure-ad-add-tenant11.png) - -3. On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. You're taken to the Azure Active Directory portal. - - ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png) - - - -  - - - - - - diff --git a/windows/client-management/server-requirements-windows-mdm.md b/windows/client-management/server-requirements-windows-mdm.md index c0a307103f..30f628af50 100644 --- a/windows/client-management/server-requirements-windows-mdm.md +++ b/windows/client-management/server-requirements-windows-mdm.md @@ -1,9 +1,6 @@ --- title: Server requirements for using OMA DM to manage Windows devices description: Learn about the general server requirements for using OMA DM to manage Windows devices, including the supported versions of OMA DM. -MS-HAID: - - 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' - - 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' ms.reviewer: manager: aaroncz ms.author: vinpa @@ -12,29 +9,25 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Server requirements for using OMA DM to manage Windows devices The following list shows the general server requirements for using OMA DM to manage Windows devices: -- The OMA DM server must support the OMA DM v1.1.2 or later protocol. +- The OMA DM server must support the OMA DM v1.1.2 or later protocol. -- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. +- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate isn't issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. -- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. +- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. -- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. +- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. -- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. +- The MD5 binary nonce is sent over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900). -- The server must support HTTPS. - -  - - - - - +- The server must support HTTPS. diff --git a/windows/client-management/structure-of-oma-dm-provisioning-files.md b/windows/client-management/structure-of-oma-dm-provisioning-files.md index 5e5008f0eb..b3724368d3 100644 --- a/windows/client-management/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/structure-of-oma-dm-provisioning-files.md @@ -9,6 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Structure of OMA DM provisioning files @@ -65,17 +68,16 @@ The following example shows the general structure of the XML document sent by th SyncHdr includes the following information: -- Document Type Definition (DTD) and protocol version numbers +- Document Type Definition (DTD) and protocol version numbers -- Session and message identifiers. Each message in the same DM session must have a different MsgID. +- Session and message identifiers. Each message in the same DM session must have a different MsgID. -- Message source and destination Uniform Resource Identifiers (URIs) +- Message source and destination Uniform Resource Identifiers (URIs) -- Credentials for authentication +- Credentials for authentication This information is used to by the client device to properly manage the DM session. - **Code example** The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only. @@ -83,7 +85,7 @@ The following example shows the header component of a DM message. In this case, > [!NOTE] > The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](mdm/devinfo-csp.md). -  + ```xml diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 74837fc166..9a48d7372f 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -5,85 +5,70 @@ items: - name: Mobile device management (MDM) expanded: true items: - - name: Overview + - name: MDM overview + expanded: true items: - - name: MDM overview + - name: What is MDM? href: mdm-overview.md - - name: What's new in MDM enrollment and management + - name: What's new in MDM href: new-in-windows-mdm-enrollment-management.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md + - name: Azure Active Directory integration + href: azure-active-directory-integration-with-mdm.md + - name: Transitioning to modern management + href: manage-windows-10-in-your-organization-modern-management.md + - name: Push notification support + href: push-notification-windows-mdm.md + - name: MAM support + href: implement-server-side-mobile-application-management.md + - name: Enroll devices + expanded: false items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices + - name: Enrollment overview + href: mobile-device-enrollment.md + - name: Manual enrollment href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + - name: Automatic enrollment href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy + - name: Group policy enrollment href: enroll-a-windows-10-device-automatically-using-group-policy.md - name: Bulk enrollment href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Federated authentication device enrollment + - name: Federated authentication enrollment href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment + - name: Certificate authentication enrollment href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment + - name: On-premises authentication enrollment href: on-premise-authentication-device-enrollment.md - - name: Disconnecting a device from MDM (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md + - name: Manage devices + expanded: false items: - - name: Enterprise app management + - name: Manage settings + href: windows-mdm-enterprise-settings.md + - name: Manage apps href: enterprise-app-management.md - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Mobile device management (MDM) for device updates + - name: Manage updates href: device-update-management.md - name: Secured-Core PC Configuration Lock href: config-lock.md - name: Certificate renewal href: certificate-renewal-windows-mdm.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: MAM support for device management - href: implement-server-side-mobile-application-management.md + - name: eSIM management + href: esim-enterprise-management.md + - name: Diagnose MDM failures + expanded: false + items: + - name: Collect MDM logs + href: mdm-collect-logs.md + - name: Diagnose MDM enrollment + href: mdm-diagnose-enrollment.md + - name: Known issues + href: mdm-known-issues.md + - name: Unenroll devices + href: disconnecting-from-mdm-unenrollment.md - name: Configuration service provider reference href: mdm/index.yml - name: Client management tools and settings - items: - - name: Windows Tools/Administrative Tools - href: administrative-tools-in-windows-10.md - - name: Use Quick Assist to help users - href: quick-assist.md - - name: Connect to remote Azure Active Directory-joined PC - href: connect-to-remote-aadj-pc.md - - name: Create mandatory user profiles - href: mandatory-user-profile.md - - name: New policies for Windows 10 - href: new-policies-for-windows-10.md - - name: Windows 10 default media removal policy - href: change-default-removal-policy-external-storage-media.md - - name: Group Policies that apply only to Windows 10 Enterprise and Windows 10 Education - href: group-policies-for-enterprise-and-education-editions.md - - name: Manage Device Installation with Group Policy - href: manage-device-installation-with-group-policy.md - - name: Manage the Settings app with Group Policy - href: manage-settings-app-with-group-policy.md - - name: What version of Windows am I running - href: windows-version-search.md - - name: Transitioning to modern management - href: manage-windows-10-in-your-organization-modern-management.md - - name: Windows libraries - href: windows-libraries.md + expanded: true + href: client-tools/toc.yml - name: Troubleshoot Windows clients href: /troubleshoot/windows-client/welcome-windows-client - diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 344d0eb5a7..dd0861e26c 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -1,28 +1,32 @@ --- title: Understanding ADMX policies -description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. +description: You can use ADMX policies for Windows mobile device management (MDM) across Windows devices. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Understanding ADMX policies Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. +Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. -## Background +## Background In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Windows Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: + - OS settings: Computer Configuration/Administrative Templates - Application settings: User Configuration/Administrative Templates @@ -33,26 +37,27 @@ An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policy Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](mdm/policy-configuration-service-provider.md). - + -## ADMX files and the Group Policy Editor +## ADMX files and the Group Policy Editor To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. Group Policy option button setting: + - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. - If **Disabled** is selected and you click **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. - If **Not Configured** is selected and you click **Apply**, the following events occur: - - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. The following diagram shows the main display for the Group Policy Editor. @@ -72,25 +77,26 @@ For more information about the Group Policy description format, see [Administrat For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you'll find the following occurrences: Enabling a policy example: + ```XML `` ``` Appv.admx file: + ```XML ``` - -## ADMX policy examples +## ADMX policy examples The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +### Enabling a policy -### Enabling a policy +**Payload**: -**Payload** ```XML @@ -104,7 +110,9 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Request SyncML** + +**Request SyncML**: + ```XML @@ -138,7 +146,8 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: + ```XML 2 @@ -149,14 +158,16 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Disabling a policy +### Disabling a policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -177,9 +188,10 @@ The following SyncML examples describe how to set an MDM policy that is defined -'''' +``` + +**Response SyncML**: -**Response SyncML** ```XML 2 @@ -190,13 +202,13 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Setting a policy to not configured +### Setting a policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: ```XML @@ -215,7 +227,7 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: ```XML @@ -227,35 +239,31 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -## Sample SyncML for various ADMX elements +## Sample SyncML for various ADMX elements This section describes sample SyncML for the various ADMX elements like Text, Multi-Text, Decimal, Boolean, and List. -### How a Group Policy policy category path and name are mapped to an MDM area and policy name +### How a Group Policy policy category path and name are mapped to an MDM area and policy name -Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. +Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. `./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//` The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii). -**Snippet of manifest for AppVirtualization area:** +**Snippet of manifest for AppVirtualization area**: ```XML -. -. -. + ... -. -. -. + ... ``` The **LocURI** for the above GP policy is: @@ -264,11 +272,11 @@ The **LocURI** for the above GP policy is: To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. -### Text Element +### Text Element The `text` element simply corresponds to a string and correspondingly to an edit box in a policy panel display by gpedit.msc. The string is stored in the registry of type REG_SZ. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -280,7 +288,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -304,9 +312,9 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -### MultiText Element +### MultiText Element -The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc.  It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) +The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -345,7 +353,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ``` -### List Element (and its variations) +### List Element (and its variations) The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location will give you an idea of the way the name/value pairs are stored to express it through SyncML. @@ -354,7 +362,7 @@ The `list` element simply corresponds to a hive of REG_SZ registry strings and c Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. See below for a simple write-up of Group Policy List. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -366,7 +374,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -389,7 +397,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### No Elements +### No Elements ```XML @@ -398,7 +406,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -421,7 +429,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Enum +### Enum ```XML @@ -455,7 +463,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -477,7 +485,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Decimal Element +### Decimal Element ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -514,7 +522,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Boolean Element +### Boolean Element ```XML @@ -540,7 +548,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML diff --git a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md index 5c5b946138..d3ea09a030 100644 --- a/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md +++ b/windows/client-management/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -1,7 +1,7 @@ --- title: Using PowerShell scripting with the WMI Bridge Provider description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the WMI Bridge Provider. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,13 +9,15 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Using PowerShell scripting with the WMI Bridge Provider This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, and how to invoke methods through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). - ## Configuring per-device policy settings This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). @@ -42,7 +44,7 @@ The following script describes how to create, enumerate, query, modify, and dele $namespaceName = "root\cimv2\mdm\dmmap" $className = "MDM_Policy_Config01_WiFi02" -# Create a new instance for MDM_Policy_Config01_WiFi02 +# Create a new instance for MDM_Policy_Config01_WiFi02 New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="WiFi";AllowInternetSharing=1;AllowAutoConnectToWiFiSenseHotspots=0;WLANScanMode=100} # Enumerate all instances available for MDM_Policy_Config01_WiFi02 @@ -84,15 +86,13 @@ class MDM_Policy_User_Config01_Authentication02 }; ``` -> **Note**  If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. - -  +> [!NOTE] +> If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which isn't supported in native PowerShell cmdlets. -> **Note**   All commands must executed under local system. - -  +> [!NOTE] +> All commands must executed under local system. A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001. @@ -220,5 +220,3 @@ catch [Exception] ## Related topics [WMI Bridge Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) - -  \ No newline at end of file diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index 830640d4c2..b6502accac 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,33 +1,27 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion -description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. +description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Win32 and Desktop Bridge app ADMX policy Ingestion -## In this section +## Overview -- [Overview](#overview) -- [Ingesting an app ADMX file](#ingesting-an-app-admx-file) -- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) -- [ADMX app policy examples](#admx-backed-app-policy-examples) - - [Enabling an app policy](#enabling-an-app-policy) - - [Disabling an app policy](#disabling-an-app-policy) - - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) +You can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. -## Overview +Starting from the following Windows versions `Replace` command is supported: -Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. - -NOTE: Starting from the following Windows 10 version Replace command is supported - Windows 10, version 1903 with KB4512941 and KB4517211 installed - Windows 10, version 1809 with KB4512534 and KB installed - Windows 10, version 1803 with KB4512509 and KB installed @@ -57,17 +51,18 @@ When the ADMX policies are ingested, the registry keys to which each policy is w - software\Microsoft\Edge - Software\Microsoft\EdgeUpdate\ -> [!Warning] +> [!WARNING] > Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] > Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). -## Ingesting an app ADMX file +## Ingesting an app ADMX file The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. -**Payload** +**Payload**: + ```XML @@ -201,7 +196,7 @@ The following ADMX file example shows how to ingest a Win32 or Desktop Bridge ap ``` -**Request Syncml** +**Request Syncml**: The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`. When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured. @@ -360,12 +355,13 @@ The following example shows an ADMX file in SyncML format: ``` -**Response Syncml** +**Response Syncml**: + ```XML 21102Add200 ``` -### URI format for configuring an app policy +### URI format for configuring an app policy The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name: @@ -394,10 +390,9 @@ The following example shows how to derive a Win32 or Desktop Bridge app policy n ``` -As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: -'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'. +As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: `./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}`. -**User or device policy** +**User or device policy**: In the policy class, the attribute is defined as "User" and the URI is prefixed with `./user`. If the attribute value is "Machine", the URI is prefixed with `./device`. @@ -409,25 +404,28 @@ The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. {CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3. Therefore, from the example: + - Class: User - Policy name: L_PolicyPreventRun_1 - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` -## ADMX-backed app policy examples +## ADMX-backed app policy examples The following examples describe how to set an ADMX-ingested app policy. -### Enabling an app policy +### Enabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request Syncml** +**Request Syncml**: + ```XML @@ -449,19 +447,22 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21103Replace200 ``` -### Disabling an app policy +### Disabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -483,18 +484,20 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21104Replace200 ``` -### Setting an app policy to not configured +### Setting an app policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: + ```XML @@ -511,7 +514,8 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21105Delete200 ``` diff --git a/windows/client-management/windows-mdm-enterprise-settings.md b/windows/client-management/windows-mdm-enterprise-settings.md index c773fbc2ea..82d1bf3135 100644 --- a/windows/client-management/windows-mdm-enterprise-settings.md +++ b/windows/client-management/windows-mdm-enterprise-settings.md @@ -1,32 +1,31 @@ --- -title: Enterprise settings, policies, and app management +title: Enterprise settings and policy management description: The DM client manages the interaction between a device and a server. Learn more about the client-server management workflow. -MS-HAID: - - 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' - - 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.date: 06/26/2017 +ms.date: 04/05/2023 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# Enterprise settings, policies, and app management +# Enterprise settings and policy management The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://technical.openmobilealliance.org/). -Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). +Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](mdm/index.yml). -The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. +Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. The following diagram shows the work flow between server and client. ![windows client and server mdm diagram.](images/enterprise-workflow.png) - ## Management workflow This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. @@ -37,15 +36,7 @@ The DM client configuration, company policy enforcement, business application ma Here's a summary of the DM tasks supported for enterprise management: -- Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. -- Enterprise application management: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. -- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. -- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. - -  - - - - - - +- **Company policy management**: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. +- **Enterprise application management**: This task is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It's used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. +- **Certificate management**: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. +- **Basic device inventory and asset management**: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This information is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md deleted file mode 100644 index 0ca2a86f1e..0000000000 --- a/windows/client-management/windows-version-search.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: What version of Windows am I running? -description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. -keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build -ms.prod: windows-client -ms.mktglfcycl: manage -ms.sitesec: library -author: vinaypamnani-msft -ms.author: vinpa -ms.date: 04/30/2018 -ms.reviewer: -manager: aaroncz -ms.topic: troubleshooting -ms.technology: itpro-manage ---- - -# What version of Windows am I running? - -To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. - -## System Properties -Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu - -You'll now see **Edition**, **Version**, and **OS Build** information. Something like this: - -![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) - -## Using Keyword Search -You can type the following in the search bar and press **ENTER** to see version details for your device. - -**“winver”** - -![screenshot of the About Windows display text.](images/winver.png) - -**“msinfo”** or **"msinfo32"** to open **System Information**: - -![screenshot of the System Information display text.](images/msinfo32.png) - -## Using Command Prompt or PowerShell -At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER** - -![screenshot of system information display text.](images/refcmd.png) - -At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below: - -![screenshot of software licensing manager.](images/slmgr_dlv.png) - -## What does it all mean? - -The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (you do have some limited search capabilities), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. It’s important to remember that the LTSC model is primarily for specialized devices. - -In the General Availability Channel, you can set feature updates as soon as Microsoft releases them. This servicing modal is ideal for pilot deployments and to test Windows 10 feature updates and for users like developers who need to work with the latest features immediately. Once you've tested the latest release, you can choose when to roll it out broadly in your deployment. \ No newline at end of file diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 3d701812c0..79a3785540 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,10 +1,7 @@ --- -title: WMI providers supported in Windows 10 +title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -MS-HAID: - - 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' - - 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -12,11 +9,14 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- -# WMI providers supported in Windows 10 +# WMI providers supported in Windows -Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10. +Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows. > [!NOTE] > Applications installed using WMI classes are not removed when the MDM account is removed from device. @@ -53,137 +53,135 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw ## MDM WMI classes -|Class|Test completed in Windows 10 for desktop| -|--- |--- | -|[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.| -|[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.| -|[**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework)|Currently testing.| -|[**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting)|Currently testing.| -|[**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)|Yes| -|[**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)|Yes| -|[**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)|Yes| -|[**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)|Yes| -|[**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)|Currently testing.| -|[**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)|Yes| -|[**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)|| -|[**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)|Yes| -|[**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)|Yes| -|**MDM_MsiApplication**|| -|**MDM_MsiInstallJob**|| -|[**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication)|Test not started.| -|[**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie)|Test not started.| -|[**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)|Yes| -|[**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)|Test not started.| -|[**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)|Yes| -|[**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)|| -|[**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer)|Currently testing.| -|[**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)|Yes| -|[**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)|Yes| -|**MDM_VpnConnection**|| -|[**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication)|Currently testing.| -|[**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)|Yes| -|[**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)|Yes| -|[**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)|Yes| -|[**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)|Yes| -|[**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)|Yes| -|[**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)|Yes| -|[**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)|| -|[**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice)|| +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------------------------------|------------------------------| +| [**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob) | Currently testing. | +| [**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application) | Currently testing. | +| [**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework) | Currently testing. | +| [**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting) | Currently testing. | +| [**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones) | Yes | +| [**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings) | Yes | +| [**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate) | Yes | +| [**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment) | Yes | +| [**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client) | Currently testing. | +| [**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting) | Yes | +| [**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo) | | +| [**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy) | Yes | +| [**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority) | Yes | +| **MDM_MsiApplication** | | +| **MDM_MsiInstallJob** | | +| [**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication) | Test not started. | +| [**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie) | Test not started. | +| [**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions) | Yes | +| [**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser) | Test not started. | +| [**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus) | Yes | +| [**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader) | | +| [**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer) | Currently testing. | +| [**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates) | Yes | +| [**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger) | Yes | +| **MDM_VpnConnection** | | +| [**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication) | Currently testing. | +| [**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile) | Yes | +| [**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml) | Yes | +| [**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel) | Yes | +| [**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration) | Yes | +| [**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile) | Yes | +| [**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection) | Yes | +| [**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct) | | +| [**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice) | | ### Parental control WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | - - +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------|------------------------------| +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | ### Win32 WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | -[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes -[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes -[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes -[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes -[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | -[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | -[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | -[**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | -[**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | -[**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | -[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | -[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | -[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes -[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes -[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes -[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | -[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | -[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | -[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | -[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes -[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | -[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | -[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | -[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | -[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes -[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | -[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | -[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | -[**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | -[**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | -[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | -[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | -[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes -[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | -[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | -[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | -[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | -[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes -[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | -[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes -[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes -[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes -[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | -[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes -[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | -**Win32\_WindowsUpdateAgentVersion** | - +| Class | Test completed in Windows 10 | +|---------------------------------------------------------------------------------------------------------|------------------------------| +| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | +| [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | +| [**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes | +| [**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes | +| [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | +| [**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes | +| [**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes | +| [**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes | +| [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | +| [**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) | Yes | +| [**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes | +| [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | +| [**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes | +| [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | +| [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | +| [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | +| [**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | +| [**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | +| [**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | +| [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | +| [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | +| [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | +| [**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes | +| [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | +| [**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes | +| [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | +| [**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes | +| [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | +| [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | +| [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | +| [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | +| [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | +| [**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes | +| [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | +| [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | +| [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | +| [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | +| [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | +| [**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes | +| [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | +| [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | +| [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | +| [**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | +| [**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | +| [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | +| [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | +| [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | +| [**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes | +| [**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes | +| [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | +| [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | +| [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | +| [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | +| [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | +| [**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes | +| [**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes | +| [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | +| [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | +| [**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes | +| [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | +| [**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes | +| [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | +| [**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes | +| [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | +| [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | +| [**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes | +| [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | +| **Win32\_WindowsUpdateAgentVersion** | ## Related topics [Configuration service provider reference](mdm/index.yml) ## Related Links + [CIM Video Controller](/windows/win32/cimwin32prov/cim-videocontroller) diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index ae433621cc..49737ce32b 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -59,7 +59,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ], "searchScope": ["Windows 10"] }, diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 800e7781f6..87899c2977 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -255,7 +255,7 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato ```xml - + diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index 00a55c6d95..e766825729 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -158,13 +158,14 @@ echo result: %ERRORLEVEL% >> %LOGFILE% ### Calling multiple scripts in the package -Your provisioning package can include multiple CommandLines. +Your provisioning package can include multiple **CommandFiles**. -You are allowed one CommandLine per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the CommandLine specified in the package. +You are allowed one **CommandLine** per provisioning package. The batch files shown above are orchestrator scripts that manage the installation and call any other scripts included in the provisioning package. The orchestrator script is what should be invoked from the **CommandLine** specified in the package. Here’s a table describing this relationship, using the PowerShell example from above: + |ICD Setting | Value | Description | | --- | --- | --- | | ProvisioningCommands/DeviceContext/CommandLine | cmd /c PowerShell_Example.bat | The command line needed to invoke the orchestrator script. | @@ -194,6 +195,7 @@ In Windows Configuration Designer, that is done by adding files under the `Provi When you are done, [build the package](provisioning-create-package.md#build-package). + ### Remarks 1. No user interaction or console output is supported via ProvisioningCommands. All work needs to be silent. If your script attempts to do any of the following it will cause undefined behavior, and could put the device in an unrecoverable state if executed during setup or the Out of Box Experience: @@ -217,7 +219,6 @@ When you are done, [build the package](provisioning-create-package.md#build-pack >There is a timeout of 30 minutes for the provisioning process at this point. All scripts and installs need to complete within this time. 7. The scripts are executed in the background as the rest of provisioning continues to run. For packages added on existing systems using the double-click to install, there is no notification that provisioning or script execution has completed - ## Related articles - [Provisioning packages for Windows client](provisioning-packages.md) @@ -230,3 +231,5 @@ When you are done, [build the package](provisioning-create-package.md#build-pack - [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md) - [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md) - [Create a provisioning package with multivariant settings](provisioning-multivariant.md) + + diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md index 37887f4c3d..eed909eb0d 100644 --- a/windows/configuration/wcd/wcd-browser.md +++ b/windows/configuration/wcd/wcd-browser.md @@ -56,7 +56,7 @@ To add a new item under the browser's **Favorites** list: 2. In the **Available customizations** pane, select the friendly name that you created, and in the text field, enter the URL for the item. -For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and "" for the URL. +For example, to include the corporate Web site to the list of browser favorites, a company called Contoso can specify **Contoso** as the value for the name and `http://www.contoso.com` for the URL. ## PartnerSearchCode diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 37eb5a69cb..3cd3b238d5 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -212,6 +212,8 @@ items: - name: Windows Update for Business reports workbook href: update/wufb-reports-workbook.md + - name: Delivery Optimization data in reports + href: update/wufb-reports-do.md - name: Software updates in the Microsoft 365 admin center href: update/wufb-reports-admin-center.md - name: Use Windows Update for Business reports data diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index fc628c12d5..4adba0785d 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -192,7 +192,7 @@ Selection profiles, which are available in the Advanced Configuration node, prov MDT uses many log files during operating system deployments. By default the logs are client side, but by configuring the deployment settings, you can have MDT store them on the server, as well. > [!NOTE] -> The easiest way to view log files is to use Configuration Manager Trace (CMTrace), which is included in the [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). +> The easiest way to view log files is to use Configuration Manager Trace (CMTrace). For more information, see [CMTrace](/mem/configmgr/core/support/cmtrace). ## Monitoring diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 57be35765a..cef1350b94 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -266,7 +266,8 @@ See the following example: ## Use CMTrace to read log files (optional) -The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool. +The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/mem/configmgr/core/support/cmtrace)). + You can use Notepad (example below): ![figure 8.](../images/mdt-05-fig09.png) diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md index 8c40be4dcd..0ea1bd83a0 100644 --- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md +++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md @@ -49,7 +49,8 @@ On **PC0001**: & "C:\MDT\CMTrace" C:\MININT\SMSOSD\OSDLOGS\ZTIGather.log ``` -3. Download and install the free [Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717) on PC0001 so that you have access to the Configuration Manager Trace (cmtrace.exe) tool. + > [!NOTE] + > For more information about the Configuration Manager Trace (cmtrace.exe) tool, see [CMTrace](/mem/configmgr/core/support/cmtrace). 4. Using Local Users and Groups (lusrmgr.msc), add the **contoso\\MDT\_BA** user account to the local **Administrators** group. diff --git a/windows/deployment/do/images/UC_workspace_DO_status.png b/windows/deployment/do/images/UC_workspace_DO_status.png deleted file mode 100644 index fa7550f0f5..0000000000 Binary files a/windows/deployment/do/images/UC_workspace_DO_status.png and /dev/null differ diff --git a/windows/deployment/do/images/addcachenode.png b/windows/deployment/do/images/addcachenode.png deleted file mode 100644 index ea8db2a08a..0000000000 Binary files a/windows/deployment/do/images/addcachenode.png and /dev/null differ diff --git a/windows/deployment/do/images/backicon.png b/windows/deployment/do/images/backicon.png deleted file mode 100644 index 3007e448b1..0000000000 Binary files a/windows/deployment/do/images/backicon.png and /dev/null differ diff --git a/windows/deployment/do/images/doneicon.png b/windows/deployment/do/images/doneicon.png deleted file mode 100644 index d80389f35b..0000000000 Binary files a/windows/deployment/do/images/doneicon.png and /dev/null differ diff --git a/windows/deployment/do/images/ent-mcc-overview.png b/windows/deployment/do/images/ent-mcc-overview.png deleted file mode 100644 index a4e5a4f0ec..0000000000 Binary files a/windows/deployment/do/images/ent-mcc-overview.png and /dev/null differ diff --git a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md index 0d11fcb79e..faf96a6339 100644 --- a/windows/deployment/do/includes/waas-delivery-optimization-monitor.md +++ b/windows/deployment/do/includes/waas-delivery-optimization-monitor.md @@ -28,8 +28,8 @@ ms.localizationpriority: medium | TotalBytesDownloaded | The number of bytes from any source downloaded so far | | PercentPeerCaching |The percentage of bytes downloaded from peers versus over HTTP | | BytesFromPeers | Total bytes downloaded from peer devices (sum of bytes downloaded from LAN, Group, and Internet Peers) | -| BytesfromHTTP | Total number of bytes received over HTTP. This represents all HTTP sources, which includes BytesFromCacheServer | -| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but is not uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | +| BytesfromHTTP | Total number of bytes received over HTTP. This metric represents all HTTP sources, which includes BytesFromCacheServer | +| Status | Current state of the operation. Possible values are: **Downloading** (download in progress); **Complete** (download completed, but isn't uploading yet); **Caching** (download completed successfully and is ready to upload or uploading); **Paused** (download/upload paused by caller) | | Priority | Priority of the download; values are **foreground** or **background** | | BytesFromCacheServer | Total number of bytes received from cache server (MCC) | | BytesFromLanPeers | Total number of bytes received from peers found on the LAN | @@ -98,9 +98,19 @@ Using the `-Verbose` option returns additional information: - Bytes from CDN (the number of bytes received over HTTP) - Average number of peer connections per download -**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. +**Starting in Windows 10, version 2004**, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo`, which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer. -Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to that from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. +| Key | Value | +| --- | --- | +| IP | Peer device IP address | +| PeerType | The type of peer used (LAN/Group/Internet/LinkLocal), determined by the Delivery Optimization Service, except for the LinkLocal option, which uses the DNS-SD protocol. | +| ConnectionEstablished | True/False to indicate if peer is connected | +| BytesSent | Bytes sent to/from the peer on the current connection | +| BytesReceived | Bytes received to/from the peer on the current connection | +| UploadRateBytes | Average value of upload rates on the current connection, over the past 20 seconds | +| DownloadRateBytes | Average value of download rates on the current connection, over the past 20 seconds | + +Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth` returns data similar to data from `Get-DeliveryOptimizationPerfSnap` but limited to the current calendar month. #### Manage the Delivery Optimization cache @@ -110,7 +120,7 @@ Starting in Windows 10, version 1803, `Get-DeliveryOptimizationPerfSnapThisMonth `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]` extends expiration for a single specific file in the cache. -You can now "pin" files to keep them persistent in the cache. You can only do this with files that are downloaded in modes 1, 2, or 3. +You can now "pin" files to keep them persistent in the cache, only with files that are downloaded in modes 1, 2, or 3. `set-DeliveryOptimizationStatus -Pin [True] -File ID [FileID]` keeps a specific file in the cache such that it won't be deleted until the expiration date and time (which you set with `set-DeliveryOptimizationStatus -ExpireOn [date time] -FileID [FileID]`). The file is also excluded from the cache quota calculation. @@ -155,6 +165,6 @@ Using the `-ListConnections` option returns these details about peers: `Get-DeliveryOptimizationLog [-Path ] [-Flush]` -If `Path` is not specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs. +If `Path` isn't specified, this cmdlet reads all logs from the DoSvc log directory, which requires administrator permissions. If `Flush` is specified, the cmdlet stops DoSvc before reading logs. Log entries are written to the PowerShell pipeline as objects. To dump logs to a text file, run `Get-DeliveryOptimizationLog | Set-Content ` or something similar. diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index f363e5116d..1a0f413fd5 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -1,7 +1,7 @@ ### YamlMime:FAQ metadata: title: Delivery Optimization Frequently Asked Questions - description: The following is a list of frequently asked questions for Delivery Optimization. + description: List of frequently asked questions for Delivery Optimization. ms.reviewer: mstewart ms.prod: windows-client author: cmknox @@ -12,7 +12,7 @@ metadata: - highpri - tier3 ms.topic: faq - ms.date: 08/04/2022 + ms.date: 04/17/2023 title: Delivery Optimization Frequently Asked Questions summary: | **Applies to** @@ -29,7 +29,7 @@ sections: answer: | Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. @@ -70,7 +70,7 @@ sections: If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. With split tunneling, make sure to allow direct access to these endpoints: @@ -99,3 +99,11 @@ sections: > [!NOTE] > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + - question: How are downloads initiated by Delivery Optimization? + answer: | + Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). + + - question: How does Delivery Optimization determine which content is available for peering? + answer: | + Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots. + diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 9fa907d90e..04c0b9e893 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -152,7 +152,7 @@ Try these steps: 4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. > [!NOTE] -> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of the connected peers. +> Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer. ### Clients aren't able to connect to peers offered by the cloud service diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 066cd3ec04..90f5217061 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -57,7 +57,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ], "searchScope": ["Windows 10"] }, diff --git a/windows/deployment/images/UC-workspace-overview-blade.PNG b/windows/deployment/images/UC-workspace-overview-blade.PNG deleted file mode 100644 index beb04cdc18..0000000000 Binary files a/windows/deployment/images/UC-workspace-overview-blade.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG b/windows/deployment/images/UC_00_marketplace_search - Copy.PNG deleted file mode 100644 index dcdf25d38a..0000000000 Binary files a/windows/deployment/images/UC_00_marketplace_search - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_00_marketplace_search.PNG b/windows/deployment/images/UC_00_marketplace_search.PNG deleted file mode 100644 index dcdf25d38a..0000000000 Binary files a/windows/deployment/images/UC_00_marketplace_search.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG b/windows/deployment/images/UC_01_marketplace_create - Copy.PNG deleted file mode 100644 index 4b34311112..0000000000 Binary files a/windows/deployment/images/UC_01_marketplace_create - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_01_marketplace_create.PNG b/windows/deployment/images/UC_01_marketplace_create.PNG deleted file mode 100644 index 4b34311112..0000000000 Binary files a/windows/deployment/images/UC_01_marketplace_create.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_02_workspace_create - Copy.PNG b/windows/deployment/images/UC_02_workspace_create - Copy.PNG deleted file mode 100644 index ed3eeeebbb..0000000000 Binary files a/windows/deployment/images/UC_02_workspace_create - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_02_workspace_create.PNG b/windows/deployment/images/UC_02_workspace_create.PNG deleted file mode 100644 index ed3eeeebbb..0000000000 Binary files a/windows/deployment/images/UC_02_workspace_create.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_03_workspace_select - Copy.PNG b/windows/deployment/images/UC_03_workspace_select - Copy.PNG deleted file mode 100644 index d00864b861..0000000000 Binary files a/windows/deployment/images/UC_03_workspace_select - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_03_workspace_select.PNG b/windows/deployment/images/UC_03_workspace_select.PNG deleted file mode 100644 index d00864b861..0000000000 Binary files a/windows/deployment/images/UC_03_workspace_select.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG deleted file mode 100644 index 3ea9f57531..0000000000 Binary files a/windows/deployment/images/UC_04_resourcegrp_deployment_successful - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG b/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG deleted file mode 100644 index 3ea9f57531..0000000000 Binary files a/windows/deployment/images/UC_04_resourcegrp_deployment_successful .PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_assessing - Copy.PNG b/windows/deployment/images/UC_tile_assessing - Copy.PNG deleted file mode 100644 index 2709763570..0000000000 Binary files a/windows/deployment/images/UC_tile_assessing - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_assessing.PNG b/windows/deployment/images/UC_tile_assessing.PNG deleted file mode 100644 index 2709763570..0000000000 Binary files a/windows/deployment/images/UC_tile_assessing.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_filled - Copy.PNG b/windows/deployment/images/UC_tile_filled - Copy.PNG deleted file mode 100644 index f7e1bab284..0000000000 Binary files a/windows/deployment/images/UC_tile_filled - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_tile_filled.PNG b/windows/deployment/images/UC_tile_filled.PNG deleted file mode 100644 index f7e1bab284..0000000000 Binary files a/windows/deployment/images/UC_tile_filled.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG b/windows/deployment/images/UC_workspace_DO_status - Copy.PNG deleted file mode 100644 index fa7550f0f5..0000000000 Binary files a/windows/deployment/images/UC_workspace_DO_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_DO_status.PNG b/windows/deployment/images/UC_workspace_DO_status.PNG deleted file mode 100644 index fa7550f0f5..0000000000 Binary files a/windows/deployment/images/UC_workspace_DO_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG b/windows/deployment/images/UC_workspace_FU_status - Copy.PNG deleted file mode 100644 index 14966b1d8a..0000000000 Binary files a/windows/deployment/images/UC_workspace_FU_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_FU_status.PNG b/windows/deployment/images/UC_workspace_FU_status.PNG deleted file mode 100644 index 14966b1d8a..0000000000 Binary files a/windows/deployment/images/UC_workspace_FU_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG b/windows/deployment/images/UC_workspace_SU_status - Copy.PNG deleted file mode 100644 index 3564c9b6e5..0000000000 Binary files a/windows/deployment/images/UC_workspace_SU_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_SU_status.PNG b/windows/deployment/images/UC_workspace_SU_status.PNG deleted file mode 100644 index 3564c9b6e5..0000000000 Binary files a/windows/deployment/images/UC_workspace_SU_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG b/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG deleted file mode 100644 index 40dcaef949..0000000000 Binary files a/windows/deployment/images/UC_workspace_WDAV_status - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_WDAV_status.PNG b/windows/deployment/images/UC_workspace_WDAV_status.PNG deleted file mode 100644 index 40dcaef949..0000000000 Binary files a/windows/deployment/images/UC_workspace_WDAV_status.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_home.PNG b/windows/deployment/images/UC_workspace_home.PNG deleted file mode 100644 index 4269eb8c4d..0000000000 Binary files a/windows/deployment/images/UC_workspace_home.PNG and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_needs_attention - Copy.png b/windows/deployment/images/UC_workspace_needs_attention - Copy.png deleted file mode 100644 index be8033a9d6..0000000000 Binary files a/windows/deployment/images/UC_workspace_needs_attention - Copy.png and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_needs_attention.png b/windows/deployment/images/UC_workspace_needs_attention.png deleted file mode 100644 index be8033a9d6..0000000000 Binary files a/windows/deployment/images/UC_workspace_needs_attention.png and /dev/null differ diff --git a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG b/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG deleted file mode 100644 index beb04cdc18..0000000000 Binary files a/windows/deployment/images/UC_workspace_overview_blade - Copy.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal1.PNG b/windows/deployment/images/UR-Azureportal1.PNG deleted file mode 100644 index 2a3f8f1b73..0000000000 Binary files a/windows/deployment/images/UR-Azureportal1.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal2.PNG b/windows/deployment/images/UR-Azureportal2.PNG deleted file mode 100644 index e7db8b3787..0000000000 Binary files a/windows/deployment/images/UR-Azureportal2.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal3.PNG b/windows/deployment/images/UR-Azureportal3.PNG deleted file mode 100644 index 6645ba95ce..0000000000 Binary files a/windows/deployment/images/UR-Azureportal3.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-Azureportal4.PNG b/windows/deployment/images/UR-Azureportal4.PNG deleted file mode 100644 index 3087797a46..0000000000 Binary files a/windows/deployment/images/UR-Azureportal4.PNG and /dev/null differ diff --git a/windows/deployment/images/UR-driver-issue-detail.png b/windows/deployment/images/UR-driver-issue-detail.png deleted file mode 100644 index 933b2e2346..0000000000 Binary files a/windows/deployment/images/UR-driver-issue-detail.png and /dev/null differ diff --git a/windows/deployment/images/UR-example-feedback.png b/windows/deployment/images/UR-example-feedback.png deleted file mode 100644 index 5a05bb54e1..0000000000 Binary files a/windows/deployment/images/UR-example-feedback.png and /dev/null differ diff --git a/windows/deployment/images/UR-lift-report.jpg b/windows/deployment/images/UR-lift-report.jpg deleted file mode 100644 index f76ce5f481..0000000000 Binary files a/windows/deployment/images/UR-lift-report.jpg and /dev/null differ diff --git a/windows/deployment/images/UR-monitor-main.png b/windows/deployment/images/UR-monitor-main.png deleted file mode 100644 index 83904d3be2..0000000000 Binary files a/windows/deployment/images/UR-monitor-main.png and /dev/null differ diff --git a/windows/deployment/images/UR-update-progress-failed-detail.png b/windows/deployment/images/UR-update-progress-failed-detail.png deleted file mode 100644 index 4e619ae27c..0000000000 Binary files a/windows/deployment/images/UR-update-progress-failed-detail.png and /dev/null differ diff --git a/windows/deployment/images/oobe.jpg b/windows/deployment/images/oobe.jpg deleted file mode 100644 index 53a5dab6bf..0000000000 Binary files a/windows/deployment/images/oobe.jpg and /dev/null differ diff --git a/windows/deployment/images/prov.jpg b/windows/deployment/images/prov.jpg deleted file mode 100644 index 1593ccb36b..0000000000 Binary files a/windows/deployment/images/prov.jpg and /dev/null differ diff --git a/windows/deployment/images/setupmsg.jpg b/windows/deployment/images/setupmsg.jpg deleted file mode 100644 index 12935483c5..0000000000 Binary files a/windows/deployment/images/setupmsg.jpg and /dev/null differ diff --git a/windows/deployment/images/ua-cg-01.png b/windows/deployment/images/ua-cg-01.png deleted file mode 100644 index 4b41bd67ba..0000000000 Binary files a/windows/deployment/images/ua-cg-01.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-02.png b/windows/deployment/images/ua-cg-02.png deleted file mode 100644 index 4cbfaf26d8..0000000000 Binary files a/windows/deployment/images/ua-cg-02.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-03.png b/windows/deployment/images/ua-cg-03.png deleted file mode 100644 index cfad7911bb..0000000000 Binary files a/windows/deployment/images/ua-cg-03.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-04.png b/windows/deployment/images/ua-cg-04.png deleted file mode 100644 index c818d15d02..0000000000 Binary files a/windows/deployment/images/ua-cg-04.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-05.png b/windows/deployment/images/ua-cg-05.png deleted file mode 100644 index a8788f0eb9..0000000000 Binary files a/windows/deployment/images/ua-cg-05.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-06.png b/windows/deployment/images/ua-cg-06.png deleted file mode 100644 index ed983c96c8..0000000000 Binary files a/windows/deployment/images/ua-cg-06.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-07.png b/windows/deployment/images/ua-cg-07.png deleted file mode 100644 index 2aba43be53..0000000000 Binary files a/windows/deployment/images/ua-cg-07.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-08.png b/windows/deployment/images/ua-cg-08.png deleted file mode 100644 index f256b2f097..0000000000 Binary files a/windows/deployment/images/ua-cg-08.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-09-old.png b/windows/deployment/images/ua-cg-09-old.png deleted file mode 100644 index b9aa1cea41..0000000000 Binary files a/windows/deployment/images/ua-cg-09-old.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-09.png b/windows/deployment/images/ua-cg-09.png deleted file mode 100644 index 0150a24ee5..0000000000 Binary files a/windows/deployment/images/ua-cg-09.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-10.png b/windows/deployment/images/ua-cg-10.png deleted file mode 100644 index 54e222338d..0000000000 Binary files a/windows/deployment/images/ua-cg-10.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-11.png b/windows/deployment/images/ua-cg-11.png deleted file mode 100644 index 4e930a5905..0000000000 Binary files a/windows/deployment/images/ua-cg-11.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-12.png b/windows/deployment/images/ua-cg-12.png deleted file mode 100644 index 2fbe11b814..0000000000 Binary files a/windows/deployment/images/ua-cg-12.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-13.png b/windows/deployment/images/ua-cg-13.png deleted file mode 100644 index f04252796e..0000000000 Binary files a/windows/deployment/images/ua-cg-13.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-14.png b/windows/deployment/images/ua-cg-14.png deleted file mode 100644 index 6105fdf4d1..0000000000 Binary files a/windows/deployment/images/ua-cg-14.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-15.png b/windows/deployment/images/ua-cg-15.png deleted file mode 100644 index 009315fc4a..0000000000 Binary files a/windows/deployment/images/ua-cg-15.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-16.png b/windows/deployment/images/ua-cg-16.png deleted file mode 100644 index 6d5b8a84b6..0000000000 Binary files a/windows/deployment/images/ua-cg-16.png and /dev/null differ diff --git a/windows/deployment/images/ua-cg-17.png b/windows/deployment/images/ua-cg-17.png deleted file mode 100644 index d66c41917b..0000000000 Binary files a/windows/deployment/images/ua-cg-17.png and /dev/null differ diff --git a/windows/deployment/images/ua-step2-blades.png b/windows/deployment/images/ua-step2-blades.png deleted file mode 100644 index c86f7a4338..0000000000 Binary files a/windows/deployment/images/ua-step2-blades.png and /dev/null differ diff --git a/windows/deployment/images/ua-step2-low-risk.png b/windows/deployment/images/ua-step2-low-risk.png deleted file mode 100644 index 6e9daf0233..0000000000 Binary files a/windows/deployment/images/ua-step2-low-risk.png and /dev/null differ diff --git a/windows/deployment/images/update.jpg b/windows/deployment/images/update.jpg deleted file mode 100644 index d5ba862300..0000000000 Binary files a/windows/deployment/images/update.jpg and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-apps-known-issues.png b/windows/deployment/images/upgrade-analytics-apps-known-issues.png deleted file mode 100644 index ec99ac92cf..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-apps-known-issues.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png b/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png deleted file mode 100644 index 9fb09ffd65..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-apps-no-known-issues.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-architecture.png b/windows/deployment/images/upgrade-analytics-architecture.png deleted file mode 100644 index 93d3acba0b..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-architecture.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-create-iedataoptin.png b/windows/deployment/images/upgrade-analytics-create-iedataoptin.png deleted file mode 100644 index 60f5ccbc90..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-create-iedataoptin.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-deploy-eligible.png b/windows/deployment/images/upgrade-analytics-deploy-eligible.png deleted file mode 100644 index 8da91cebc4..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-deploy-eligible.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-drivers-known.png b/windows/deployment/images/upgrade-analytics-drivers-known.png deleted file mode 100644 index 35d61f87c7..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-drivers-known.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-most-active-sites.png b/windows/deployment/images/upgrade-analytics-most-active-sites.png deleted file mode 100644 index 180c5ddced..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-most-active-sites.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG b/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG deleted file mode 100644 index 2041f14fd4..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-namepub-rollup.PNG and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-overview.png b/windows/deployment/images/upgrade-analytics-overview.png deleted file mode 100644 index ba02ee0a8c..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-overview.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-pilot.png b/windows/deployment/images/upgrade-analytics-pilot.png deleted file mode 100644 index 1c1de328ea..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-pilot.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-prioritize.png b/windows/deployment/images/upgrade-analytics-prioritize.png deleted file mode 100644 index d6227694c1..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-prioritize.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-query-activex-name.png b/windows/deployment/images/upgrade-analytics-query-activex-name.png deleted file mode 100644 index 5068e7d20e..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-query-activex-name.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG b/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG deleted file mode 100644 index 4d22cc9353..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-ready-for-windows-status-guidance-precedence.PNG and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG b/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG deleted file mode 100644 index c233db2340..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-ready-for-windows-status.PNG and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-settings.png b/windows/deployment/images/upgrade-analytics-settings.png deleted file mode 100644 index be51cd3418..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-settings.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png b/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png deleted file mode 100644 index d1a46f1791..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-site-activity-by-doc-mode.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-site-domain-detail.png b/windows/deployment/images/upgrade-analytics-site-domain-detail.png deleted file mode 100644 index 15a7ee20c4..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-site-domain-detail.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-telemetry.png b/windows/deployment/images/upgrade-analytics-telemetry.png deleted file mode 100644 index bf60935616..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-telemetry.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-analytics-unsubscribe.png b/windows/deployment/images/upgrade-analytics-unsubscribe.png deleted file mode 100644 index 402db94d6f..0000000000 Binary files a/windows/deployment/images/upgrade-analytics-unsubscribe.png and /dev/null differ diff --git a/windows/deployment/images/upgrade-process.png b/windows/deployment/images/upgrade-process.png deleted file mode 100644 index b2b77708fc..0000000000 Binary files a/windows/deployment/images/upgrade-process.png and /dev/null differ diff --git a/windows/deployment/images/upgradecfg-fig2-upgrading.png b/windows/deployment/images/upgradecfg-fig2-upgrading.png deleted file mode 100644 index c53de79c29..0000000000 Binary files a/windows/deployment/images/upgradecfg-fig2-upgrading.png and /dev/null differ diff --git a/windows/deployment/images/upgradecfg-fig3-upgrade.png b/windows/deployment/images/upgradecfg-fig3-upgrade.png deleted file mode 100644 index d0c1ceaaf9..0000000000 Binary files a/windows/deployment/images/upgradecfg-fig3-upgrade.png and /dev/null differ diff --git a/windows/deployment/images/upgrademdt-fig2-importedos.png b/windows/deployment/images/upgrademdt-fig2-importedos.png deleted file mode 100644 index 93b92efd93..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig2-importedos.png and /dev/null differ diff --git a/windows/deployment/images/upgrademdt-fig3-tasksequence.png b/windows/deployment/images/upgrademdt-fig3-tasksequence.png deleted file mode 100644 index 1ad66c2098..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig3-tasksequence.png and /dev/null differ diff --git a/windows/deployment/images/upgrademdt-fig4-selecttask.png b/windows/deployment/images/upgrademdt-fig4-selecttask.png deleted file mode 100644 index dcbc73871a..0000000000 Binary files a/windows/deployment/images/upgrademdt-fig4-selecttask.png and /dev/null differ diff --git a/windows/deployment/images/ur-arch-diagram.png b/windows/deployment/images/ur-arch-diagram.png deleted file mode 100644 index 9c1da1227c..0000000000 Binary files a/windows/deployment/images/ur-arch-diagram.png and /dev/null differ diff --git a/windows/deployment/images/ur-overview.PNG b/windows/deployment/images/ur-overview.PNG deleted file mode 100644 index cf9563ece5..0000000000 Binary files a/windows/deployment/images/ur-overview.PNG and /dev/null differ diff --git a/windows/deployment/images/ur-settings.PNG b/windows/deployment/images/ur-settings.PNG deleted file mode 100644 index d1724cb821..0000000000 Binary files a/windows/deployment/images/ur-settings.PNG and /dev/null differ diff --git a/windows/deployment/images/ur-target-version.png b/windows/deployment/images/ur-target-version.png deleted file mode 100644 index 43f0c9aa0c..0000000000 Binary files a/windows/deployment/images/ur-target-version.png and /dev/null differ diff --git a/windows/deployment/images/uwp-dependencies.PNG b/windows/deployment/images/uwp-dependencies.PNG deleted file mode 100644 index 4e2563169f..0000000000 Binary files a/windows/deployment/images/uwp-dependencies.PNG and /dev/null differ diff --git a/windows/deployment/images/uwp-family.PNG b/windows/deployment/images/uwp-family.PNG deleted file mode 100644 index bec731eec4..0000000000 Binary files a/windows/deployment/images/uwp-family.PNG and /dev/null differ diff --git a/windows/deployment/images/uwp-license.PNG b/windows/deployment/images/uwp-license.PNG deleted file mode 100644 index ccb5cf7cf4..0000000000 Binary files a/windows/deployment/images/uwp-license.PNG and /dev/null differ diff --git a/windows/deployment/images/who-owns-pc.png b/windows/deployment/images/who-owns-pc.png deleted file mode 100644 index d3ce1def8d..0000000000 Binary files a/windows/deployment/images/who-owns-pc.png and /dev/null differ diff --git a/windows/deployment/images/win-security-update-status-by-computer.png b/windows/deployment/images/win-security-update-status-by-computer.png deleted file mode 100644 index 720ae898be..0000000000 Binary files a/windows/deployment/images/win-security-update-status-by-computer.png and /dev/null differ diff --git a/windows/deployment/images/win10-set-up-work-or-school.png b/windows/deployment/images/win10-set-up-work-or-school.png deleted file mode 100644 index 0ca83fb0e1..0000000000 Binary files a/windows/deployment/images/win10-set-up-work-or-school.png and /dev/null differ diff --git a/windows/deployment/images/windowsupgradeadditionaloptions.png b/windows/deployment/images/windowsupgradeadditionaloptions.png deleted file mode 100644 index 4fcdb1dd70..0000000000 Binary files a/windows/deployment/images/windowsupgradeadditionaloptions.png and /dev/null differ diff --git a/windows/deployment/planning/images/branch.png b/windows/deployment/planning/images/branch.png deleted file mode 100644 index a7eefed13c..0000000000 Binary files a/windows/deployment/planning/images/branch.png and /dev/null differ diff --git a/windows/deployment/planning/images/chromebook-fig1-googleadmin.png b/windows/deployment/planning/images/chromebook-fig1-googleadmin.png deleted file mode 100644 index b3d42e5ff2..0000000000 Binary files a/windows/deployment/planning/images/chromebook-fig1-googleadmin.png and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-addissue.gif b/windows/deployment/planning/images/dep-win8-e-act-addissue.gif deleted file mode 100644 index dbe6b657bb..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-addissue.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif b/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif deleted file mode 100644 index 98e6c27ad7..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-addsolution.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-categorize.gif b/windows/deployment/planning/images/dep-win8-e-act-categorize.gif deleted file mode 100644 index 23bae141bc..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-categorize.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif b/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif deleted file mode 100644 index 111e79a839..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-communityexample.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif b/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif deleted file mode 100644 index 7ad0515838..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-createnewdcp.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-delete.gif b/windows/deployment/planning/images/dep-win8-e-act-delete.gif deleted file mode 100644 index 24d6b6cd8f..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-delete.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif b/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif deleted file mode 100644 index 5f07b13d22..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-deploymentstatus.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif deleted file mode 100644 index a92e0d9525..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-doesnotwork64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif b/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif deleted file mode 100644 index d07dce9b67..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-doesnotworkicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif b/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif deleted file mode 100644 index 35fb052076..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-exportdcp.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif b/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif deleted file mode 100644 index 924efd2a21..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-exportreportdata.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif b/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif deleted file mode 100644 index ebb4547df3..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterdata.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif deleted file mode 100644 index 909cb95436..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0activeissues.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif deleted file mode 100644 index 178095998f..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallapps0issues.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif deleted file mode 100644 index 824bcd764a..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleallappswissues.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif deleted file mode 100644 index 2621c7e2b5..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexamplecategory.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif deleted file mode 100644 index 40b8e61815..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforissueswsolutions.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif b/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif deleted file mode 100644 index 74c2687b0b..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-filterexampleforspecificsolutions.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif deleted file mode 100644 index a69b282a37..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-greenworks64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif b/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif deleted file mode 100644 index 73626ccdcf..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-greenworksicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-help.gif b/windows/deployment/planning/images/dep-win8-e-act-help.gif deleted file mode 100644 index 6ce522acba..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-help.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-home.gif b/windows/deployment/planning/images/dep-win8-e-act-home.gif deleted file mode 100644 index 0555779689..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-home.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif deleted file mode 100644 index b4593fd6d1..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-info64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif b/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif deleted file mode 100644 index 6ef158023c..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-infoicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif b/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif deleted file mode 100644 index 8842896029..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-minorissues64icon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png b/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png deleted file mode 100644 index ea4d0588a6..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-minorissuesicon.png and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif b/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif deleted file mode 100644 index 06a357b04e..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-moveupanddown.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-open.gif b/windows/deployment/planning/images/dep-win8-e-act-open.gif deleted file mode 100644 index 430bc23095..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-open.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif b/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif deleted file mode 100644 index 8327888637..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-prioritize.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif b/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif deleted file mode 100644 index 4a647114a4..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-reactivate-resolved-issue.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-refresh.gif b/windows/deployment/planning/images/dep-win8-e-act-refresh.gif deleted file mode 100644 index 1e9cd7e6aa..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-refresh.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif b/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif deleted file mode 100644 index 74c9e784e2..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-riskassessment.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-save.gif b/windows/deployment/planning/images/dep-win8-e-act-save.gif deleted file mode 100644 index 50691cc5c8..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-save.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-savereport.gif b/windows/deployment/planning/images/dep-win8-e-act-savereport.gif deleted file mode 100644 index 00395ee6dd..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-savereport.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif b/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif deleted file mode 100644 index 9272a99a14..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-sendandreceive.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif b/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif deleted file mode 100644 index 7e38cf8108..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-e-act-sendandreceiveicon.gif and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg b/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg deleted file mode 100644 index 95f3fdb690..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-communityworkflowdiagram.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg b/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg deleted file mode 100644 index fd03081e46..0000000000 Binary files a/windows/deployment/planning/images/dep-win8-l-act-supportedtopologies.jpg and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure1.png b/windows/deployment/planning/images/deploy-win-10-school-figure1.png deleted file mode 100644 index 66113dcce1..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure1.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure2.png b/windows/deployment/planning/images/deploy-win-10-school-figure2.png deleted file mode 100644 index 0227f8dbaa..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure2.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure3.png b/windows/deployment/planning/images/deploy-win-10-school-figure3.png deleted file mode 100644 index 1b39b5cc14..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure3.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure4.png b/windows/deployment/planning/images/deploy-win-10-school-figure4.png deleted file mode 100644 index 09552a448a..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure4.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure5.png b/windows/deployment/planning/images/deploy-win-10-school-figure5.png deleted file mode 100644 index 550386f1ce..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure5.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure6.png b/windows/deployment/planning/images/deploy-win-10-school-figure6.png deleted file mode 100644 index 09552a448a..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure6.png and /dev/null differ diff --git a/windows/deployment/planning/images/deploy-win-10-school-figure7.png b/windows/deployment/planning/images/deploy-win-10-school-figure7.png deleted file mode 100644 index 8e7581007a..0000000000 Binary files a/windows/deployment/planning/images/deploy-win-10-school-figure7.png and /dev/null differ diff --git a/windows/deployment/planning/images/fig2-locallyconfig.png b/windows/deployment/planning/images/fig2-locallyconfig.png deleted file mode 100644 index d2fe9820da..0000000000 Binary files a/windows/deployment/planning/images/fig2-locallyconfig.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png b/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png deleted file mode 100644 index 2f684c32ff..0000000000 Binary files a/windows/deployment/planning/images/wuforbus-fig1-manuallyset.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png b/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png deleted file mode 100644 index 5e43f36403..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig10-sccmconsole.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig11-intune.png b/windows/deployment/planning/images/wuforbusiness-fig11-intune.png deleted file mode 100644 index 8006085bf1..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig11-intune.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png b/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png deleted file mode 100644 index 078d60b745..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig12a-updates.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png b/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png deleted file mode 100644 index 432e0d8711..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig13a-upgrades.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig2-gp.png b/windows/deployment/planning/images/wuforbusiness-fig2-gp.png deleted file mode 100644 index d748cd0dc9..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig2-gp.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png b/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png deleted file mode 100644 index 90900dee9d..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig3-mdm.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png b/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png deleted file mode 100644 index 0c6a1a0265..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig4-localpoleditor.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png b/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png deleted file mode 100644 index 591ba04c8a..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig5-deferupgrade.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig6-pause.png b/windows/deployment/planning/images/wuforbusiness-fig6-pause.png deleted file mode 100644 index d19ef0e013..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig6-pause.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png b/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png deleted file mode 100644 index ebd28fb689..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig7-validationgroup.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png b/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png deleted file mode 100644 index ce8a59a910..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig8a-chooseupdates.png and /dev/null differ diff --git a/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg b/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg deleted file mode 100644 index 04c3558d41..0000000000 Binary files a/windows/deployment/planning/images/wuforbusiness-fig9-dosettings.jpg and /dev/null differ diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml index c234ad4992..4907345be4 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml @@ -164,7 +164,7 @@ sections: - question: | Can the user self-provision Windows To Go? answer: | - Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746). + Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases include support for user self-provisioning of Windows To Go drives. - question: | How can Windows To Go be managed in an organization? @@ -292,7 +292,7 @@ sections: Windows To Go Creator and the recommended deployment steps for Windows To Go set SAN Policy 4 on Windows To Go drive. This policy prevents Windows from automatically mounting internal disk drives. That's why you can't see the internal hard drives of the host computer when you're booted into Windows To Go. This is done to prevent accidental data leakage between Windows To Go and the host system. This policy also prevents potential corruption on the host drives or data loss if the host operating system is in a hibernation state. If you really need to access the files on the internal hard drive, you can use diskmgmt.msc to mount the internal drive. **Warning** - It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. + It is strongly recommended that you do not mount internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 or later operating system, mounting the drive will lead to loss of hibernation state and therefore user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. @@ -324,7 +324,7 @@ sections: - question: | Do I need to activate Windows To Go every time I roam? answer: | - No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or a through remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days. + No, Windows To Go requires volume activation; either using the [Key Management Service](/previous-versions/tn-archive/ff793434(v=technet.10)) (KMS) server in your organization or using [Active Directory](/previous-versions/windows/hh852637(v=win.10)) based volume activation. The Windows To Go workspace won't need to be reactivated every time you roam. KMS activates Windows on a local network, eliminating the need for individual computers to connect to Microsoft. To remain activated, KMS client computers must renew their activation by connecting to the KMS host on periodic basis. This typically occurs as soon as the user has access to the corporate network (either through a direct connection on-premises or through a remote connection using DirectAccess or a virtual private network connection), once activated the machine won't need to be activated again until the activation validity interval has passed. In a KMS configuration, the activation validity interval is 180 days. - question: | Can I use all Windows features on Windows To Go? @@ -433,7 +433,7 @@ sections: answer: | One of the challenges involved in moving the Windows To Go drive between PCs while seamlessly booting Windows with access to all of their applications and data is that for Windows to be fully functional, specific drivers need to be installed for the hardware in each machine that runs Windows. Windows 8 or later has a process called respecialize which will identify new drivers that need to be loaded for the new PC and disable drivers that aren't present on the new configuration. In general, this feature is reliable and efficient when roaming between PCs of widely varying hardware configurations. - In certain cases, third-party drivers for different hardware models or versions can reuse device ID's, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. + In certain cases, third-party drivers for different hardware models or versions can reuse device IDs, driver file names, registry keys (or any other operating system constructs that don't support side-by-side storage) for similar hardware. For example, Touchpad drivers on different laptops often reuse the same device ID's, and video cards from the same manufacturer may often reuse service names. Windows handles these situations by marking the non-present device node with a flag that indicates the existing driver needs to be reinstalled before continuing to install the new driver. This process will occur on any boot that a new driver is found and a driver conflict is detected. In some cases that will result in a respecialize progress message "Installing devices…" displaying every time that a Windows to Go drive is roamed between two PCs that require conflicting drivers. diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index edf0aba102..d20d9c067f 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,49 +1,53 @@ --- -title: Windows 10 Pro in S mode -description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +title: Windows Pro in S mode +description: Overview of Windows Pro and Enterprise in S mode. ms.localizationpriority: high ms.prod: windows-client manager: aaroncz author: frankroj ms.author: frankroj -ms.topic: article -ms.date: 11/23/2022 +ms.topic: conceptual +ms.date: 04/26/2023 ms.technology: itpro-deploy --- -# Windows 10 in S mode - What is it? +# Windows Pro in S mode -S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. +S mode is a configuration that's available on all Windows Editions, and it's enabled at the time of manufacturing. Windows can be switched out of S mode at any time, as shown in the picture below. However, the switch is a one-time operation, and can only be undone by a wipe and reload of the operating system. -![Configuration and features of S mode.](images/smodeconfig.png) +:::image type="content" source="images/smodeconfig.png" alt-text="Table listing the capabilities of S mode across the different Windows editions."::: ## S mode key features ### Microsoft-verified security -With Windows 10 in S mode, you'll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. +With Windows in S mode, you'll find your favorite applications in the Microsoft Store, where they're Microsoft-verified for security. You can also feel secure when you're online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware. ### Performance that lasts -Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you'll enjoy a smooth, responsive experience, whether you're streaming HD video, opening apps, or being productive on the go. +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. You'll enjoy a smooth, responsive experience, whether you're streaming videos, opening apps, or being productive on the go. ### Choice and flexibility -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don't find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. -![Switching out of S mode flow chart.](images/s-mode-flow-chart.png) +:::image type="content" source="images/s-mode-flow-chart.png" alt-text="Switching out of S mode flow chart."::: ## Deployment -Windows 10 in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. +Windows in S mode is built for [modern management](/windows/client-management/manage-windows-10-in-your-organization-modern-management), which means using [Windows Autopilot](/mem/autopilot/windows-autopilot) for deployment, and a Mobile Device Management (MDM) solution for management, like Microsoft Intune. + +Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic device that can only be used to join the company Azure AD tenant or Active Directory domain. Policies are then deployed automatically through MDM, to customize the device to the user and the desired environment. + +For the devices that are shipped in S mode, you can either keep them in S mode, use Windows Autopilot to switch them out of S mode during the first run process, or later using MDM, if desired. ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +[Desktop Bridge](/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating the apps, you can distribute them through an MDM solution like Microsoft Intune. ## Repackage Win32 apps into the MSIX format -The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively and obtain an MSIX package that you can install on your device and upload to the Microsoft Store. The MSIX Packaging Tool is another way to get your apps ready to run on Windows 10 in S mode. +The [MSIX Packaging Tool](/windows/application-management/msix-app-packaging-tool), available from the Microsoft Store, enables you to repackage existing Win32 applications to the MSIX format. You can run your desktop installers through the MSIX Packaging Tool interactively, and obtain an MSIX package that you can deploy through and MDM solution like Microsoft Intune. The MSIX Packaging Tool is another way to get your apps ready to run on Windows in S mode. ## Related links diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md index 15954efa93..ba129003a6 100644 --- a/windows/deployment/update/WIP4Biz-intro.md +++ b/windows/deployment/update/WIP4Biz-intro.md @@ -44,7 +44,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op |Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.| |Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. | |Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
    - Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
    - Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. | -|Feedback | - This helps us make adjustments to features as quickly as possible.
    - Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
    - [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) | +|Feedback | - This helps us make adjustments to features as quickly as possible.
    - Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
    - [Learn how to provide effective feedback in the Feedback Hub](/windows-insider/feedback) | ## Validate Insider Preview builds Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits: diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index c73105ae1b..5504be6122 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -1,7 +1,7 @@ --- title: How to check Windows release health description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. -ms.date: 08/16/2022 +ms.date: 05/03/2023 ms.author: mstewart author: mestew manager: aaroncz @@ -13,7 +13,7 @@ ms.technology: itpro-updates # How to check Windows release health -The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization. +The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that impacts Windows devices and that has been identified in a Windows monthly update or feature update. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization. If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant. @@ -21,7 +21,7 @@ To be informed about the latest updates and releases, follow [@WindowsUpdate](ht ## How to review Windows release health information -1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account. +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com) and sign in with an administrator account. > [!NOTE] > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles). @@ -54,6 +54,21 @@ To be informed about the latest updates and releases, follow [@WindowsUpdate](ht ![A screenshot showing issue details.](images/WRH-known-issue-detail.png) +## Sign up for email notifications + +You have the option to sign up for email notifications about Windows known issues and informational updates. Notifications include changes in issue status, new workarounds, and issue resolutions. To subscribe to notifications: + +1. Go to the [Windows release health page](https://admin.microsoft.com/Adminportal/Home?#/windowsreleasehealth). +1. Select **Preferences** > **Email**, then select **Send me email notifications about Windows release health**. +1. Specify the following information: + - Email address for the notifications + - Each admin account can specify up to two email addresses under their email preferences + - Windows versions to be notified about +1. Select **Save** when you're finished specifying email addresses and Windows versions. It may take up to 8 hours for these changes to take effect. + +> [!Note] +> When a single known issue affects multiple versions of Windows, you'll receive only one email notification, even if you've selected notifications for multiple versions. Duplicate emails won't be sent. + ## Status definitions In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows: diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md index 14e8129982..4a20d28511 100644 --- a/windows/deployment/update/eval-infra-tools.md +++ b/windows/deployment/update/eval-infra-tools.md @@ -45,7 +45,7 @@ Keep security baselines current to help ensure that your environment is secure a There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately. -- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591). +- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593). - **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones. diff --git a/windows/deployment/update/images/ActionCenterXML.jpg b/windows/deployment/update/images/ActionCenterXML.jpg deleted file mode 100644 index b9832b2708..0000000000 Binary files a/windows/deployment/update/images/ActionCenterXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/AppsXML.jpg b/windows/deployment/update/images/AppsXML.jpg deleted file mode 100644 index ecc1869bb5..0000000000 Binary files a/windows/deployment/update/images/AppsXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/AppsXML.png b/windows/deployment/update/images/AppsXML.png deleted file mode 100644 index 3981543264..0000000000 Binary files a/windows/deployment/update/images/AppsXML.png and /dev/null differ diff --git a/windows/deployment/update/images/ButtonsXML.jpg b/windows/deployment/update/images/ButtonsXML.jpg deleted file mode 100644 index 238eca7e68..0000000000 Binary files a/windows/deployment/update/images/ButtonsXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/CSPRunnerXML.jpg b/windows/deployment/update/images/CSPRunnerXML.jpg deleted file mode 100644 index 071b316a9e..0000000000 Binary files a/windows/deployment/update/images/CSPRunnerXML.jpg and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png deleted file mode 100644 index 25793516c2..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part2-Create.png b/windows/deployment/update/images/CreateSolution-Part2-Create.png deleted file mode 100644 index ec63f20402..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part2-Create.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part3-Workspace.png b/windows/deployment/update/images/CreateSolution-Part3-Workspace.png deleted file mode 100644 index 1d74aa39d0..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part3-Workspace.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png deleted file mode 100644 index 7a3129f467..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png and /dev/null differ diff --git a/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png deleted file mode 100644 index c3cb382097..0000000000 Binary files a/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png and /dev/null differ diff --git a/windows/deployment/update/images/DO-absolute-bandwidth.png b/windows/deployment/update/images/DO-absolute-bandwidth.png deleted file mode 100644 index a13d5393e6..0000000000 Binary files a/windows/deployment/update/images/DO-absolute-bandwidth.png and /dev/null differ diff --git a/windows/deployment/update/images/ICDstart-option.PNG b/windows/deployment/update/images/ICDstart-option.PNG deleted file mode 100644 index 1ba49bb261..0000000000 Binary files a/windows/deployment/update/images/ICDstart-option.PNG and /dev/null differ diff --git a/windows/deployment/update/images/MenuItemsXML.png b/windows/deployment/update/images/MenuItemsXML.png deleted file mode 100644 index cc681250bb..0000000000 Binary files a/windows/deployment/update/images/MenuItemsXML.png and /dev/null differ diff --git a/windows/deployment/update/images/OMS-after-adding-solution.jpg b/windows/deployment/update/images/OMS-after-adding-solution.jpg deleted file mode 100644 index f3a5d855ff..0000000000 Binary files a/windows/deployment/update/images/OMS-after-adding-solution.jpg and /dev/null differ diff --git a/windows/deployment/update/images/SAC_vid_crop.jpg b/windows/deployment/update/images/SAC_vid_crop.jpg deleted file mode 100644 index 9d08215fc9..0000000000 Binary files a/windows/deployment/update/images/SAC_vid_crop.jpg and /dev/null differ diff --git a/windows/deployment/update/images/SettingsXML.png b/windows/deployment/update/images/SettingsXML.png deleted file mode 100644 index 98a324bdea..0000000000 Binary files a/windows/deployment/update/images/SettingsXML.png and /dev/null differ diff --git a/windows/deployment/update/images/StartGrid.jpg b/windows/deployment/update/images/StartGrid.jpg deleted file mode 100644 index 36136f3201..0000000000 Binary files a/windows/deployment/update/images/StartGrid.jpg and /dev/null differ diff --git a/windows/deployment/update/images/StartGridPinnedApps.jpg b/windows/deployment/update/images/StartGridPinnedApps.jpg deleted file mode 100644 index fbade52f53..0000000000 Binary files a/windows/deployment/update/images/StartGridPinnedApps.jpg and /dev/null differ diff --git a/windows/deployment/update/images/TilesXML.png b/windows/deployment/update/images/TilesXML.png deleted file mode 100644 index cec52bbbf7..0000000000 Binary files a/windows/deployment/update/images/TilesXML.png and /dev/null differ diff --git a/windows/deployment/update/images/WA-data-flow-v1.png b/windows/deployment/update/images/WA-data-flow-v1.png deleted file mode 100644 index 072502b2c7..0000000000 Binary files a/windows/deployment/update/images/WA-data-flow-v1.png and /dev/null differ diff --git a/windows/deployment/update/images/WA-device-enrollment.png b/windows/deployment/update/images/WA-device-enrollment.png deleted file mode 100644 index 06408def68..0000000000 Binary files a/windows/deployment/update/images/WA-device-enrollment.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP-detail.png b/windows/deployment/update/images/WIP-detail.png deleted file mode 100644 index 96b0a90280..0000000000 Binary files a/windows/deployment/update/images/WIP-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP.png b/windows/deployment/update/images/WIP.png deleted file mode 100644 index ee7f30c014..0000000000 Binary files a/windows/deployment/update/images/WIP.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP2-sterile.png b/windows/deployment/update/images/WIP2-sterile.png deleted file mode 100644 index 7cc35cde75..0000000000 Binary files a/windows/deployment/update/images/WIP2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIP2.PNG b/windows/deployment/update/images/WIP2.PNG deleted file mode 100644 index 87255177e0..0000000000 Binary files a/windows/deployment/update/images/WIP2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIP4Biz_Prompts.png b/windows/deployment/update/images/WIP4Biz_Prompts.png deleted file mode 100644 index 37acadde3a..0000000000 Binary files a/windows/deployment/update/images/WIP4Biz_Prompts.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png b/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png deleted file mode 100644 index d093eff951..0000000000 Binary files a/windows/deployment/update/images/WIPNEW1-chart-selected-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW1.PNG b/windows/deployment/update/images/WIPNEW1.PNG deleted file mode 100644 index 29e14d5411..0000000000 Binary files a/windows/deployment/update/images/WIPNEW1.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW2-sterile.png b/windows/deployment/update/images/WIPNEW2-sterile.png deleted file mode 100644 index 1ee1148c8f..0000000000 Binary files a/windows/deployment/update/images/WIPNEW2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEW2.PNG b/windows/deployment/update/images/WIPNEW2.PNG deleted file mode 100644 index af7a8c84b7..0000000000 Binary files a/windows/deployment/update/images/WIPNEW2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEWMAIN-sterile.png b/windows/deployment/update/images/WIPNEWMAIN-sterile.png deleted file mode 100644 index a210aa9ed1..0000000000 Binary files a/windows/deployment/update/images/WIPNEWMAIN-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPNEWMAIN.PNG b/windows/deployment/update/images/WIPNEWMAIN.PNG deleted file mode 100644 index b56da2b409..0000000000 Binary files a/windows/deployment/update/images/WIPNEWMAIN.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPappID-sterile.png b/windows/deployment/update/images/WIPappID-sterile.png deleted file mode 100644 index e7b5ae5571..0000000000 Binary files a/windows/deployment/update/images/WIPappID-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/WIPappID.PNG b/windows/deployment/update/images/WIPappID.PNG deleted file mode 100644 index 49ea2bc99c..0000000000 Binary files a/windows/deployment/update/images/WIPappID.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WIPmain.PNG b/windows/deployment/update/images/WIPmain.PNG deleted file mode 100644 index adb905255d..0000000000 Binary files a/windows/deployment/update/images/WIPmain.PNG and /dev/null differ diff --git a/windows/deployment/update/images/WRH-message-history-example.png b/windows/deployment/update/images/WRH-message-history-example.png deleted file mode 100644 index 1aa35aca9b..0000000000 Binary files a/windows/deployment/update/images/WRH-message-history-example.png and /dev/null differ diff --git a/windows/deployment/update/images/WRH-view-message-history.png b/windows/deployment/update/images/WRH-view-message-history.png deleted file mode 100644 index 20b85e33c0..0000000000 Binary files a/windows/deployment/update/images/WRH-view-message-history.png and /dev/null differ diff --git a/windows/deployment/update/images/admin-tools-folder.png b/windows/deployment/update/images/admin-tools-folder.png deleted file mode 100644 index 4831204f73..0000000000 Binary files a/windows/deployment/update/images/admin-tools-folder.png and /dev/null differ diff --git a/windows/deployment/update/images/admin-tools.png b/windows/deployment/update/images/admin-tools.png deleted file mode 100644 index 1470cffdd5..0000000000 Binary files a/windows/deployment/update/images/admin-tools.png and /dev/null differ diff --git a/windows/deployment/update/images/allow-rdp.png b/windows/deployment/update/images/allow-rdp.png deleted file mode 100644 index 55c13b53bc..0000000000 Binary files a/windows/deployment/update/images/allow-rdp.png and /dev/null differ diff --git a/windows/deployment/update/images/analytics-architecture.png b/windows/deployment/update/images/analytics-architecture.png deleted file mode 100644 index 1b537c1c9b..0000000000 Binary files a/windows/deployment/update/images/analytics-architecture.png and /dev/null differ diff --git a/windows/deployment/update/images/app-detail.png b/windows/deployment/update/images/app-detail.png deleted file mode 100644 index c06ced4864..0000000000 Binary files a/windows/deployment/update/images/app-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/app-health-dashboard.png b/windows/deployment/update/images/app-health-dashboard.png deleted file mode 100644 index d8daee44ed..0000000000 Binary files a/windows/deployment/update/images/app-health-dashboard.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-app-OS-version.png b/windows/deployment/update/images/app-reliability-app-OS-version.png deleted file mode 100644 index c281dcc316..0000000000 Binary files a/windows/deployment/update/images/app-reliability-app-OS-version.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-app-detail.png b/windows/deployment/update/images/app-reliability-app-detail.png deleted file mode 100644 index 8c402bb91f..0000000000 Binary files a/windows/deployment/update/images/app-reliability-app-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-event-history.png b/windows/deployment/update/images/app-reliability-event-history.png deleted file mode 100644 index f28ab02908..0000000000 Binary files a/windows/deployment/update/images/app-reliability-event-history.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-main.png b/windows/deployment/update/images/app-reliability-main.png deleted file mode 100644 index abbcc72690..0000000000 Binary files a/windows/deployment/update/images/app-reliability-main.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-tab.png b/windows/deployment/update/images/app-reliability-tab.png deleted file mode 100644 index 17eae401f4..0000000000 Binary files a/windows/deployment/update/images/app-reliability-tab.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability-trend-view.png b/windows/deployment/update/images/app-reliability-trend-view.png deleted file mode 100644 index 2d26df93d3..0000000000 Binary files a/windows/deployment/update/images/app-reliability-trend-view.png and /dev/null differ diff --git a/windows/deployment/update/images/app-reliability.png b/windows/deployment/update/images/app-reliability.png deleted file mode 100644 index 47ecf49431..0000000000 Binary files a/windows/deployment/update/images/app-reliability.png and /dev/null differ diff --git a/windows/deployment/update/images/app-v-in-adk.png b/windows/deployment/update/images/app-v-in-adk.png deleted file mode 100644 index a36ef9f00f..0000000000 Binary files a/windows/deployment/update/images/app-v-in-adk.png and /dev/null differ diff --git a/windows/deployment/update/images/apprule.png b/windows/deployment/update/images/apprule.png deleted file mode 100644 index ec5417849a..0000000000 Binary files a/windows/deployment/update/images/apprule.png and /dev/null differ diff --git a/windows/deployment/update/images/appwarning.png b/windows/deployment/update/images/appwarning.png deleted file mode 100644 index 877d8afebd..0000000000 Binary files a/windows/deployment/update/images/appwarning.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG b/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG deleted file mode 100644 index cd44ab666c..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LA-wkspcsumm.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png b/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png deleted file mode 100644 index 9308673481..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LA-wkspcsumm_sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAfav.PNG b/windows/deployment/update/images/azure-portal-LAfav.PNG deleted file mode 100644 index 8ad9f63fd0..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAfav.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAfav1.png b/windows/deployment/update/images/azure-portal-LAfav1.png deleted file mode 100644 index 1c01cc7509..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAfav1.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-sterile.png deleted file mode 100644 index 1cdeffa2b7..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAmain-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png b/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png deleted file mode 100644 index afdfbb2d21..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAmain-wkspc-subname-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAmain.PNG b/windows/deployment/update/images/azure-portal-LAmain.PNG deleted file mode 100644 index 1cebfa9b8c..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAmain.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-LAsearch.PNG b/windows/deployment/update/images/azure-portal-LAsearch.PNG deleted file mode 100644 index 1d446241d5..0000000000 Binary files a/windows/deployment/update/images/azure-portal-LAsearch.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-UR-settings.png b/windows/deployment/update/images/azure-portal-UR-settings.png deleted file mode 100644 index 67ace993e8..0000000000 Binary files a/windows/deployment/update/images/azure-portal-UR-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-create-resource-boxes.png b/windows/deployment/update/images/azure-portal-create-resource-boxes.png deleted file mode 100644 index b15bec2265..0000000000 Binary files a/windows/deployment/update/images/azure-portal-create-resource-boxes.png and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal-create-resource.PNG b/windows/deployment/update/images/azure-portal-create-resource.PNG deleted file mode 100644 index 0f1b962e07..0000000000 Binary files a/windows/deployment/update/images/azure-portal-create-resource.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal1.PNG b/windows/deployment/update/images/azure-portal1.PNG deleted file mode 100644 index f4c2aff38a..0000000000 Binary files a/windows/deployment/update/images/azure-portal1.PNG and /dev/null differ diff --git a/windows/deployment/update/images/azure-portal1_allserv.png b/windows/deployment/update/images/azure-portal1_allserv.png deleted file mode 100644 index 63e1bcbad3..0000000000 Binary files a/windows/deployment/update/images/azure-portal1_allserv.png and /dev/null differ diff --git a/windows/deployment/update/images/backicon.png b/windows/deployment/update/images/backicon.png deleted file mode 100644 index 3007e448b1..0000000000 Binary files a/windows/deployment/update/images/backicon.png and /dev/null differ diff --git a/windows/deployment/update/images/champs.png b/windows/deployment/update/images/champs.png deleted file mode 100644 index ea719bc251..0000000000 Binary files a/windows/deployment/update/images/champs.png and /dev/null differ diff --git a/windows/deployment/update/images/checklistbox.gif b/windows/deployment/update/images/checklistbox.gif deleted file mode 100644 index cbcf4a4f11..0000000000 Binary files a/windows/deployment/update/images/checklistbox.gif and /dev/null differ diff --git a/windows/deployment/update/images/choose-package.png b/windows/deployment/update/images/choose-package.png deleted file mode 100644 index 2bf7a18648..0000000000 Binary files a/windows/deployment/update/images/choose-package.png and /dev/null differ diff --git a/windows/deployment/update/images/config-policy.png b/windows/deployment/update/images/config-policy.png deleted file mode 100644 index b9cba70af6..0000000000 Binary files a/windows/deployment/update/images/config-policy.png and /dev/null differ diff --git a/windows/deployment/update/images/config-source.png b/windows/deployment/update/images/config-source.png deleted file mode 100644 index 58938bacf7..0000000000 Binary files a/windows/deployment/update/images/config-source.png and /dev/null differ diff --git a/windows/deployment/update/images/configconflict.png b/windows/deployment/update/images/configconflict.png deleted file mode 100644 index 011a2d76e7..0000000000 Binary files a/windows/deployment/update/images/configconflict.png and /dev/null differ diff --git a/windows/deployment/update/images/connect-aad.png b/windows/deployment/update/images/connect-aad.png deleted file mode 100644 index 8583866165..0000000000 Binary files a/windows/deployment/update/images/connect-aad.png and /dev/null differ diff --git a/windows/deployment/update/images/copy-to-change.png b/windows/deployment/update/images/copy-to-change.png deleted file mode 100644 index 21aa250c0c..0000000000 Binary files a/windows/deployment/update/images/copy-to-change.png and /dev/null differ diff --git a/windows/deployment/update/images/copy-to-path.png b/windows/deployment/update/images/copy-to-path.png deleted file mode 100644 index 1ef00fc86b..0000000000 Binary files a/windows/deployment/update/images/copy-to-path.png and /dev/null differ diff --git a/windows/deployment/update/images/copy-to.PNG b/windows/deployment/update/images/copy-to.PNG deleted file mode 100644 index dad84cedc8..0000000000 Binary files a/windows/deployment/update/images/copy-to.PNG and /dev/null differ diff --git a/windows/deployment/update/images/cortana-about-me.png b/windows/deployment/update/images/cortana-about-me.png deleted file mode 100644 index 32c1ccefab..0000000000 Binary files a/windows/deployment/update/images/cortana-about-me.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-add-reminder.png b/windows/deployment/update/images/cortana-add-reminder.png deleted file mode 100644 index 3f03528e11..0000000000 Binary files a/windows/deployment/update/images/cortana-add-reminder.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-chicago-weather.png b/windows/deployment/update/images/cortana-chicago-weather.png deleted file mode 100644 index 9273bf201b..0000000000 Binary files a/windows/deployment/update/images/cortana-chicago-weather.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png b/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png deleted file mode 100644 index 3238c8d31d..0000000000 Binary files a/windows/deployment/update/images/cortana-complete-send-email-coworker-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-connect-crm.png b/windows/deployment/update/images/cortana-connect-crm.png deleted file mode 100644 index c70c42f75e..0000000000 Binary files a/windows/deployment/update/images/cortana-connect-crm.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-connect-o365.png b/windows/deployment/update/images/cortana-connect-o365.png deleted file mode 100644 index df1ffa449b..0000000000 Binary files a/windows/deployment/update/images/cortana-connect-o365.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-connect-uber.png b/windows/deployment/update/images/cortana-connect-uber.png deleted file mode 100644 index 724fecb5b5..0000000000 Binary files a/windows/deployment/update/images/cortana-connect-uber.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-crm-screen.png b/windows/deployment/update/images/cortana-crm-screen.png deleted file mode 100644 index ded5d80a59..0000000000 Binary files a/windows/deployment/update/images/cortana-crm-screen.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-feedback.png b/windows/deployment/update/images/cortana-feedback.png deleted file mode 100644 index 6e14018c98..0000000000 Binary files a/windows/deployment/update/images/cortana-feedback.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-final-reminder.png b/windows/deployment/update/images/cortana-final-reminder.png deleted file mode 100644 index f114e058e5..0000000000 Binary files a/windows/deployment/update/images/cortana-final-reminder.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-meeting-specific-time.png b/windows/deployment/update/images/cortana-meeting-specific-time.png deleted file mode 100644 index a108355133..0000000000 Binary files a/windows/deployment/update/images/cortana-meeting-specific-time.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-meeting-tomorrow.png b/windows/deployment/update/images/cortana-meeting-tomorrow.png deleted file mode 100644 index 13273b6600..0000000000 Binary files a/windows/deployment/update/images/cortana-meeting-tomorrow.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-newyork-weather.png b/windows/deployment/update/images/cortana-newyork-weather.png deleted file mode 100644 index b3879737be..0000000000 Binary files a/windows/deployment/update/images/cortana-newyork-weather.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-o365-screen.png b/windows/deployment/update/images/cortana-o365-screen.png deleted file mode 100644 index ba06dd6de5..0000000000 Binary files a/windows/deployment/update/images/cortana-o365-screen.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-place-reminder.png b/windows/deployment/update/images/cortana-place-reminder.png deleted file mode 100644 index 89ccdab3e3..0000000000 Binary files a/windows/deployment/update/images/cortana-place-reminder.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-create-report.png b/windows/deployment/update/images/cortana-powerbi-create-report.png deleted file mode 100644 index a22789d72a..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-create-report.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-expand-nav.png b/windows/deployment/update/images/cortana-powerbi-expand-nav.png deleted file mode 100644 index c8b47943f9..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-expand-nav.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-field-selection.png b/windows/deployment/update/images/cortana-powerbi-field-selection.png deleted file mode 100644 index 8aef58c23a..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-field-selection.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-getdata-samples.png b/windows/deployment/update/images/cortana-powerbi-getdata-samples.png deleted file mode 100644 index 3bfa4792df..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-getdata-samples.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-getdata.png b/windows/deployment/update/images/cortana-powerbi-getdata.png deleted file mode 100644 index 55b7b61589..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-getdata.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-myreport.png b/windows/deployment/update/images/cortana-powerbi-myreport.png deleted file mode 100644 index cc04d9c6f0..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-myreport.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-pagesize.png b/windows/deployment/update/images/cortana-powerbi-pagesize.png deleted file mode 100644 index fd1c1ef917..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-pagesize.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-report-qna.png b/windows/deployment/update/images/cortana-powerbi-report-qna.png deleted file mode 100644 index d17949aa8a..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-report-qna.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png deleted file mode 100644 index 5b94a2e2fc..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dashboard.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png deleted file mode 100644 index b2ffec3b70..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-retail-analysis-dataset.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png b/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png deleted file mode 100644 index e3b61dcaa2..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-retail-analysis-sample.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-search.png b/windows/deployment/update/images/cortana-powerbi-search.png deleted file mode 100644 index 88a8b40296..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-search.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-powerbi-settings.png b/windows/deployment/update/images/cortana-powerbi-settings.png deleted file mode 100644 index 0f51229895..0000000000 Binary files a/windows/deployment/update/images/cortana-powerbi-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-redmond-weather.png b/windows/deployment/update/images/cortana-redmond-weather.png deleted file mode 100644 index 7e8adc1929..0000000000 Binary files a/windows/deployment/update/images/cortana-redmond-weather.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-edit.png b/windows/deployment/update/images/cortana-reminder-edit.png deleted file mode 100644 index 79cc280947..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-edit.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-list.png b/windows/deployment/update/images/cortana-reminder-list.png deleted file mode 100644 index 1f57fc0f05..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-list.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-mic.png b/windows/deployment/update/images/cortana-reminder-mic.png deleted file mode 100644 index 46a18e8e0b..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-pending-mic.png b/windows/deployment/update/images/cortana-reminder-pending-mic.png deleted file mode 100644 index 159d408e0a..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-pending-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-reminder-pending.png b/windows/deployment/update/images/cortana-reminder-pending.png deleted file mode 100644 index a6b64b5621..0000000000 Binary files a/windows/deployment/update/images/cortana-reminder-pending.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-send-email-coworker-mic.png b/windows/deployment/update/images/cortana-send-email-coworker-mic.png deleted file mode 100644 index 0cfa8fb731..0000000000 Binary files a/windows/deployment/update/images/cortana-send-email-coworker-mic.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-send-email-coworker.png b/windows/deployment/update/images/cortana-send-email-coworker.png deleted file mode 100644 index 40ce18bdca..0000000000 Binary files a/windows/deployment/update/images/cortana-send-email-coworker.png and /dev/null differ diff --git a/windows/deployment/update/images/cortana-weather-multipanel.png b/windows/deployment/update/images/cortana-weather-multipanel.png deleted file mode 100644 index e8db031744..0000000000 Binary files a/windows/deployment/update/images/cortana-weather-multipanel.png and /dev/null differ diff --git a/windows/deployment/update/images/crash-hang-detail.png b/windows/deployment/update/images/crash-hang-detail.png deleted file mode 100644 index 3a6447329c..0000000000 Binary files a/windows/deployment/update/images/crash-hang-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/csp-placeholder.png b/windows/deployment/update/images/csp-placeholder.png deleted file mode 100644 index fe6bcf4720..0000000000 Binary files a/windows/deployment/update/images/csp-placeholder.png and /dev/null differ diff --git a/windows/deployment/update/images/cspinicd.png b/windows/deployment/update/images/cspinicd.png deleted file mode 100644 index a60ad9e2bf..0000000000 Binary files a/windows/deployment/update/images/cspinicd.png and /dev/null differ diff --git a/windows/deployment/update/images/csptable.png b/windows/deployment/update/images/csptable.png deleted file mode 100644 index ee210cad69..0000000000 Binary files a/windows/deployment/update/images/csptable.png and /dev/null differ diff --git a/windows/deployment/update/images/deploymentworkflow.png b/windows/deployment/update/images/deploymentworkflow.png deleted file mode 100644 index b665a0bfea..0000000000 Binary files a/windows/deployment/update/images/deploymentworkflow.png and /dev/null differ diff --git a/windows/deployment/update/images/dev-health-main-tile-sterile.png b/windows/deployment/update/images/dev-health-main-tile-sterile.png deleted file mode 100644 index afe19b622e..0000000000 Binary files a/windows/deployment/update/images/dev-health-main-tile-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/dev-health-main-tile.png b/windows/deployment/update/images/dev-health-main-tile.png deleted file mode 100644 index 850b558512..0000000000 Binary files a/windows/deployment/update/images/dev-health-main-tile.png and /dev/null differ diff --git a/windows/deployment/update/images/device-crash-history.png b/windows/deployment/update/images/device-crash-history.png deleted file mode 100644 index 69f98f1d67..0000000000 Binary files a/windows/deployment/update/images/device-crash-history.png and /dev/null differ diff --git a/windows/deployment/update/images/device-crash-history2-sterile.png b/windows/deployment/update/images/device-crash-history2-sterile.png deleted file mode 100644 index e5a70f2d7d..0000000000 Binary files a/windows/deployment/update/images/device-crash-history2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/device-crash-history2.PNG b/windows/deployment/update/images/device-crash-history2.PNG deleted file mode 100644 index 646afb4091..0000000000 Binary files a/windows/deployment/update/images/device-crash-history2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability-crash-count.png b/windows/deployment/update/images/device-reliability-crash-count.png deleted file mode 100644 index 7dd0a2d660..0000000000 Binary files a/windows/deployment/update/images/device-reliability-crash-count.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability-device-count.png b/windows/deployment/update/images/device-reliability-device-count.png deleted file mode 100644 index ba937d49e9..0000000000 Binary files a/windows/deployment/update/images/device-reliability-device-count.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png b/windows/deployment/update/images/device-reliability-event1001-PSoutput.png deleted file mode 100644 index 323e0e3878..0000000000 Binary files a/windows/deployment/update/images/device-reliability-event1001-PSoutput.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability.png b/windows/deployment/update/images/device-reliability.png deleted file mode 100644 index af8bb1d247..0000000000 Binary files a/windows/deployment/update/images/device-reliability.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability2-sterile.png b/windows/deployment/update/images/device-reliability2-sterile.png deleted file mode 100644 index bff4878fa3..0000000000 Binary files a/windows/deployment/update/images/device-reliability2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/device-reliability2.PNG b/windows/deployment/update/images/device-reliability2.PNG deleted file mode 100644 index 9af6d971b0..0000000000 Binary files a/windows/deployment/update/images/device-reliability2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/doneicon.png b/windows/deployment/update/images/doneicon.png deleted file mode 100644 index d80389f35b..0000000000 Binary files a/windows/deployment/update/images/doneicon.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-deeper-detail.png b/windows/deployment/update/images/driver-deeper-detail.png deleted file mode 100644 index 0437e555a1..0000000000 Binary files a/windows/deployment/update/images/driver-deeper-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-1-sterile.png b/windows/deployment/update/images/driver-detail-1-sterile.png deleted file mode 100644 index 03551d5783..0000000000 Binary files a/windows/deployment/update/images/driver-detail-1-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-1.PNG b/windows/deployment/update/images/driver-detail-1.PNG deleted file mode 100644 index deeb998493..0000000000 Binary files a/windows/deployment/update/images/driver-detail-1.PNG and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-2-sterile.png b/windows/deployment/update/images/driver-detail-2-sterile.png deleted file mode 100644 index 66023722b3..0000000000 Binary files a/windows/deployment/update/images/driver-detail-2-sterile.png and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail-2.PNG b/windows/deployment/update/images/driver-detail-2.PNG deleted file mode 100644 index 71f16697f5..0000000000 Binary files a/windows/deployment/update/images/driver-detail-2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/driver-detail.png b/windows/deployment/update/images/driver-detail.png deleted file mode 100644 index ab391f5adb..0000000000 Binary files a/windows/deployment/update/images/driver-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/event_1001.png b/windows/deployment/update/images/event_1001.png deleted file mode 100644 index e4f4604c2b..0000000000 Binary files a/windows/deployment/update/images/event_1001.png and /dev/null differ diff --git a/windows/deployment/update/images/export-mgt-desktop.png b/windows/deployment/update/images/export-mgt-desktop.png deleted file mode 100644 index 13349c3b4e..0000000000 Binary files a/windows/deployment/update/images/export-mgt-desktop.png and /dev/null differ diff --git a/windows/deployment/update/images/export-mgt-mobile.png b/windows/deployment/update/images/export-mgt-mobile.png deleted file mode 100644 index 6a74c23e59..0000000000 Binary files a/windows/deployment/update/images/export-mgt-mobile.png and /dev/null differ diff --git a/windows/deployment/update/images/express-settings.png b/windows/deployment/update/images/express-settings.png deleted file mode 100644 index 99e9c4825a..0000000000 Binary files a/windows/deployment/update/images/express-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/fig1-deferupgrades.png b/windows/deployment/update/images/fig1-deferupgrades.png deleted file mode 100644 index f8c52b943e..0000000000 Binary files a/windows/deployment/update/images/fig1-deferupgrades.png and /dev/null differ diff --git a/windows/deployment/update/images/fig2-deploymenttimeline.png b/windows/deployment/update/images/fig2-deploymenttimeline.png deleted file mode 100644 index a8061d2f15..0000000000 Binary files a/windows/deployment/update/images/fig2-deploymenttimeline.png and /dev/null differ diff --git a/windows/deployment/update/images/fig3-overlaprelease.png b/windows/deployment/update/images/fig3-overlaprelease.png deleted file mode 100644 index 58747a35cf..0000000000 Binary files a/windows/deployment/update/images/fig3-overlaprelease.png and /dev/null differ diff --git a/windows/deployment/update/images/funfacts.png b/windows/deployment/update/images/funfacts.png deleted file mode 100644 index 71355ec370..0000000000 Binary files a/windows/deployment/update/images/funfacts.png and /dev/null differ diff --git a/windows/deployment/update/images/genrule.png b/windows/deployment/update/images/genrule.png deleted file mode 100644 index 1d68f1ad0b..0000000000 Binary files a/windows/deployment/update/images/genrule.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-branch.png b/windows/deployment/update/images/gp-branch.png deleted file mode 100644 index 997bcc830a..0000000000 Binary files a/windows/deployment/update/images/gp-branch.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-exclude-drivers.png b/windows/deployment/update/images/gp-exclude-drivers.png deleted file mode 100644 index 0010749139..0000000000 Binary files a/windows/deployment/update/images/gp-exclude-drivers.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-feature.png b/windows/deployment/update/images/gp-feature.png deleted file mode 100644 index b862d545d4..0000000000 Binary files a/windows/deployment/update/images/gp-feature.png and /dev/null differ diff --git a/windows/deployment/update/images/gp-quality.png b/windows/deployment/update/images/gp-quality.png deleted file mode 100644 index d7ff30172d..0000000000 Binary files a/windows/deployment/update/images/gp-quality.png and /dev/null differ diff --git a/windows/deployment/update/images/health-summary.png b/windows/deployment/update/images/health-summary.png deleted file mode 100644 index 906b0a2189..0000000000 Binary files a/windows/deployment/update/images/health-summary.png and /dev/null differ diff --git a/windows/deployment/update/images/icd-adv-shared-pc.PNG b/windows/deployment/update/images/icd-adv-shared-pc.PNG deleted file mode 100644 index a8da5fa78a..0000000000 Binary files a/windows/deployment/update/images/icd-adv-shared-pc.PNG and /dev/null differ diff --git a/windows/deployment/update/images/icd-school.PNG b/windows/deployment/update/images/icd-school.PNG deleted file mode 100644 index e6a944a193..0000000000 Binary files a/windows/deployment/update/images/icd-school.PNG and /dev/null differ diff --git a/windows/deployment/update/images/icd-simple.PNG b/windows/deployment/update/images/icd-simple.PNG deleted file mode 100644 index 7ae8a1728b..0000000000 Binary files a/windows/deployment/update/images/icd-simple.PNG and /dev/null differ diff --git a/windows/deployment/update/images/icdbrowse.png b/windows/deployment/update/images/icdbrowse.png deleted file mode 100644 index 53c91074c7..0000000000 Binary files a/windows/deployment/update/images/icdbrowse.png and /dev/null differ diff --git a/windows/deployment/update/images/identitychoices.png b/windows/deployment/update/images/identitychoices.png deleted file mode 100644 index 9a69c04f20..0000000000 Binary files a/windows/deployment/update/images/identitychoices.png and /dev/null differ diff --git a/windows/deployment/update/images/ignite-land.jpg b/windows/deployment/update/images/ignite-land.jpg deleted file mode 100644 index 7d0837af47..0000000000 Binary files a/windows/deployment/update/images/ignite-land.jpg and /dev/null differ diff --git a/windows/deployment/update/images/launchicon.png b/windows/deployment/update/images/launchicon.png deleted file mode 100644 index d469c68a2c..0000000000 Binary files a/windows/deployment/update/images/launchicon.png and /dev/null differ diff --git a/windows/deployment/update/images/license-terms.png b/windows/deployment/update/images/license-terms.png deleted file mode 100644 index 8dd34b0a18..0000000000 Binary files a/windows/deployment/update/images/license-terms.png and /dev/null differ diff --git a/windows/deployment/update/images/lockdownapps.png b/windows/deployment/update/images/lockdownapps.png deleted file mode 100644 index ad928d87bc..0000000000 Binary files a/windows/deployment/update/images/lockdownapps.png and /dev/null differ diff --git a/windows/deployment/update/images/lockscreen.png b/windows/deployment/update/images/lockscreen.png deleted file mode 100644 index 68c64e15ec..0000000000 Binary files a/windows/deployment/update/images/lockscreen.png and /dev/null differ diff --git a/windows/deployment/update/images/lockscreenpolicy.png b/windows/deployment/update/images/lockscreenpolicy.png deleted file mode 100644 index 30b6a7ae9d..0000000000 Binary files a/windows/deployment/update/images/lockscreenpolicy.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health-detail-faillure.png b/windows/deployment/update/images/login-health-detail-faillure.png deleted file mode 100644 index 10b59a01d0..0000000000 Binary files a/windows/deployment/update/images/login-health-detail-faillure.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health-detail-failure.png b/windows/deployment/update/images/login-health-detail-failure.png deleted file mode 100644 index 76865225a1..0000000000 Binary files a/windows/deployment/update/images/login-health-detail-failure.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health-detail.png b/windows/deployment/update/images/login-health-detail.png deleted file mode 100644 index 45867cefc5..0000000000 Binary files a/windows/deployment/update/images/login-health-detail.png and /dev/null differ diff --git a/windows/deployment/update/images/login-health.png b/windows/deployment/update/images/login-health.png deleted file mode 100644 index e250351fb5..0000000000 Binary files a/windows/deployment/update/images/login-health.png and /dev/null differ diff --git a/windows/deployment/update/images/mdm-diag-report-powershell.PNG b/windows/deployment/update/images/mdm-diag-report-powershell.PNG deleted file mode 100644 index 86f5b49211..0000000000 Binary files a/windows/deployment/update/images/mdm-diag-report-powershell.PNG and /dev/null differ diff --git a/windows/deployment/update/images/mdm.png b/windows/deployment/update/images/mdm.png deleted file mode 100644 index 8ebcc00526..0000000000 Binary files a/windows/deployment/update/images/mdm.png and /dev/null differ diff --git a/windows/deployment/update/images/mobile-start-layout.png b/windows/deployment/update/images/mobile-start-layout.png deleted file mode 100644 index d1055d6c87..0000000000 Binary files a/windows/deployment/update/images/mobile-start-layout.png and /dev/null differ diff --git a/windows/deployment/update/images/oma-uri-shared-pc.png b/windows/deployment/update/images/oma-uri-shared-pc.png deleted file mode 100644 index 68f9fa3b32..0000000000 Binary files a/windows/deployment/update/images/oma-uri-shared-pc.png and /dev/null differ diff --git a/windows/deployment/update/images/oobe.jpg b/windows/deployment/update/images/oobe.jpg deleted file mode 100644 index 53a5dab6bf..0000000000 Binary files a/windows/deployment/update/images/oobe.jpg and /dev/null differ diff --git a/windows/deployment/update/images/outdated_incomplete.png b/windows/deployment/update/images/outdated_incomplete.png deleted file mode 100644 index 61d9343b05..0000000000 Binary files a/windows/deployment/update/images/outdated_incomplete.png and /dev/null differ diff --git a/windows/deployment/update/images/outdated_outdated.png b/windows/deployment/update/images/outdated_outdated.png deleted file mode 100644 index 761d9066c2..0000000000 Binary files a/windows/deployment/update/images/outdated_outdated.png and /dev/null differ diff --git a/windows/deployment/update/images/package.png b/windows/deployment/update/images/package.png deleted file mode 100644 index f5e975e3e9..0000000000 Binary files a/windows/deployment/update/images/package.png and /dev/null differ diff --git a/windows/deployment/update/images/packageaddfileandregistrydata-global.png b/windows/deployment/update/images/packageaddfileandregistrydata-global.png deleted file mode 100644 index 775e290a36..0000000000 Binary files a/windows/deployment/update/images/packageaddfileandregistrydata-global.png and /dev/null differ diff --git a/windows/deployment/update/images/packageaddfileandregistrydata-stream.png b/windows/deployment/update/images/packageaddfileandregistrydata-stream.png deleted file mode 100644 index 0e1205c62b..0000000000 Binary files a/windows/deployment/update/images/packageaddfileandregistrydata-stream.png and /dev/null differ diff --git a/windows/deployment/update/images/packageaddfileandregistrydata.png b/windows/deployment/update/images/packageaddfileandregistrydata.png deleted file mode 100644 index 603420e627..0000000000 Binary files a/windows/deployment/update/images/packageaddfileandregistrydata.png and /dev/null differ diff --git a/windows/deployment/update/images/phoneprovision.png b/windows/deployment/update/images/phoneprovision.png deleted file mode 100644 index 01ada29ac9..0000000000 Binary files a/windows/deployment/update/images/phoneprovision.png and /dev/null differ diff --git a/windows/deployment/update/images/policytocsp.png b/windows/deployment/update/images/policytocsp.png deleted file mode 100644 index 80ca76cb62..0000000000 Binary files a/windows/deployment/update/images/policytocsp.png and /dev/null differ diff --git a/windows/deployment/update/images/powericon.png b/windows/deployment/update/images/powericon.png deleted file mode 100644 index b497ff859d..0000000000 Binary files a/windows/deployment/update/images/powericon.png and /dev/null differ diff --git a/windows/deployment/update/images/priv-telemetry-levels.png b/windows/deployment/update/images/priv-telemetry-levels.png deleted file mode 100644 index 9581cee54d..0000000000 Binary files a/windows/deployment/update/images/priv-telemetry-levels.png and /dev/null differ diff --git a/windows/deployment/update/images/prov.jpg b/windows/deployment/update/images/prov.jpg deleted file mode 100644 index 1593ccb36b..0000000000 Binary files a/windows/deployment/update/images/prov.jpg and /dev/null differ diff --git a/windows/deployment/update/images/provisioning-csp-assignedaccess.png b/windows/deployment/update/images/provisioning-csp-assignedaccess.png deleted file mode 100644 index 14d49cdd89..0000000000 Binary files a/windows/deployment/update/images/provisioning-csp-assignedaccess.png and /dev/null differ diff --git a/windows/deployment/update/images/rapid-calendar.png b/windows/deployment/update/images/rapid-calendar.png deleted file mode 100644 index b088cbbf5b..0000000000 Binary files a/windows/deployment/update/images/rapid-calendar.png and /dev/null differ diff --git a/windows/deployment/update/images/rdp.png b/windows/deployment/update/images/rdp.png deleted file mode 100644 index ac088d0b06..0000000000 Binary files a/windows/deployment/update/images/rdp.png and /dev/null differ diff --git a/windows/deployment/update/images/reliability-perspective.png b/windows/deployment/update/images/reliability-perspective.png deleted file mode 100644 index 58e812dafa..0000000000 Binary files a/windows/deployment/update/images/reliability-perspective.png and /dev/null differ diff --git a/windows/deployment/update/images/reliability-perspective2.PNG b/windows/deployment/update/images/reliability-perspective2.PNG deleted file mode 100644 index 978cacc4f5..0000000000 Binary files a/windows/deployment/update/images/reliability-perspective2.PNG and /dev/null differ diff --git a/windows/deployment/update/images/resetdevice.png b/windows/deployment/update/images/resetdevice.png deleted file mode 100644 index 4e265c3f8d..0000000000 Binary files a/windows/deployment/update/images/resetdevice.png and /dev/null differ diff --git a/windows/deployment/update/images/security-only-update.png b/windows/deployment/update/images/security-only-update.png deleted file mode 100644 index 9ed3d0f791..0000000000 Binary files a/windows/deployment/update/images/security-only-update.png and /dev/null differ diff --git a/windows/deployment/update/images/servicing-cadence.png b/windows/deployment/update/images/servicing-cadence.png deleted file mode 100644 index cb79ff70be..0000000000 Binary files a/windows/deployment/update/images/servicing-cadence.png and /dev/null differ diff --git a/windows/deployment/update/images/servicing-previews.png b/windows/deployment/update/images/servicing-previews.png deleted file mode 100644 index 0914b555ba..0000000000 Binary files a/windows/deployment/update/images/servicing-previews.png and /dev/null differ diff --git a/windows/deployment/update/images/settings-table.png b/windows/deployment/update/images/settings-table.png deleted file mode 100644 index ada56513fc..0000000000 Binary files a/windows/deployment/update/images/settings-table.png and /dev/null differ diff --git a/windows/deployment/update/images/settingsicon.png b/windows/deployment/update/images/settingsicon.png deleted file mode 100644 index 0ad27fc558..0000000000 Binary files a/windows/deployment/update/images/settingsicon.png and /dev/null differ diff --git a/windows/deployment/update/images/setupmsg.jpg b/windows/deployment/update/images/setupmsg.jpg deleted file mode 100644 index 12935483c5..0000000000 Binary files a/windows/deployment/update/images/setupmsg.jpg and /dev/null differ diff --git a/windows/deployment/update/images/sign-in-prov.png b/windows/deployment/update/images/sign-in-prov.png deleted file mode 100644 index 55c9276203..0000000000 Binary files a/windows/deployment/update/images/sign-in-prov.png and /dev/null differ diff --git a/windows/deployment/update/images/solution-bundle.png b/windows/deployment/update/images/solution-bundle.png deleted file mode 100644 index 70cec8d8f4..0000000000 Binary files a/windows/deployment/update/images/solution-bundle.png and /dev/null differ diff --git a/windows/deployment/update/images/spotlight.png b/windows/deployment/update/images/spotlight.png deleted file mode 100644 index 515269740b..0000000000 Binary files a/windows/deployment/update/images/spotlight.png and /dev/null differ diff --git a/windows/deployment/update/images/spotlight2.png b/windows/deployment/update/images/spotlight2.png deleted file mode 100644 index 27401c1a2b..0000000000 Binary files a/windows/deployment/update/images/spotlight2.png and /dev/null differ diff --git a/windows/deployment/update/images/start-pinned-app.png b/windows/deployment/update/images/start-pinned-app.png deleted file mode 100644 index e1e4a24a00..0000000000 Binary files a/windows/deployment/update/images/start-pinned-app.png and /dev/null differ diff --git a/windows/deployment/update/images/startannotated.png b/windows/deployment/update/images/startannotated.png deleted file mode 100644 index d46f3a70c2..0000000000 Binary files a/windows/deployment/update/images/startannotated.png and /dev/null differ diff --git a/windows/deployment/update/images/starticon.png b/windows/deployment/update/images/starticon.png deleted file mode 100644 index fa8cbdff10..0000000000 Binary files a/windows/deployment/update/images/starticon.png and /dev/null differ diff --git a/windows/deployment/update/images/startlayoutpolicy.jpg b/windows/deployment/update/images/startlayoutpolicy.jpg deleted file mode 100644 index d3c8d054fe..0000000000 Binary files a/windows/deployment/update/images/startlayoutpolicy.jpg and /dev/null differ diff --git a/windows/deployment/update/images/starttemplate.jpg b/windows/deployment/update/images/starttemplate.jpg deleted file mode 100644 index 900eed08c5..0000000000 Binary files a/windows/deployment/update/images/starttemplate.jpg and /dev/null differ diff --git a/windows/deployment/update/images/sysprep-error.png b/windows/deployment/update/images/sysprep-error.png deleted file mode 100644 index aa004efbb6..0000000000 Binary files a/windows/deployment/update/images/sysprep-error.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-blank.png b/windows/deployment/update/images/taskbar-blank.png deleted file mode 100644 index 185027f2fd..0000000000 Binary files a/windows/deployment/update/images/taskbar-blank.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-default-plus.png b/windows/deployment/update/images/taskbar-default-plus.png deleted file mode 100644 index 8afcebac09..0000000000 Binary files a/windows/deployment/update/images/taskbar-default-plus.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-default-removed.png b/windows/deployment/update/images/taskbar-default-removed.png deleted file mode 100644 index b3ff924e9f..0000000000 Binary files a/windows/deployment/update/images/taskbar-default-removed.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-default.png b/windows/deployment/update/images/taskbar-default.png deleted file mode 100644 index 41c6c72258..0000000000 Binary files a/windows/deployment/update/images/taskbar-default.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-generic.png b/windows/deployment/update/images/taskbar-generic.png deleted file mode 100644 index 6d47a6795a..0000000000 Binary files a/windows/deployment/update/images/taskbar-generic.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-region-defr.png b/windows/deployment/update/images/taskbar-region-defr.png deleted file mode 100644 index 6d707b16f4..0000000000 Binary files a/windows/deployment/update/images/taskbar-region-defr.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-region-other.png b/windows/deployment/update/images/taskbar-region-other.png deleted file mode 100644 index fab367ef7a..0000000000 Binary files a/windows/deployment/update/images/taskbar-region-other.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbar-region-usuk.png b/windows/deployment/update/images/taskbar-region-usuk.png deleted file mode 100644 index 6bba65ee81..0000000000 Binary files a/windows/deployment/update/images/taskbar-region-usuk.png and /dev/null differ diff --git a/windows/deployment/update/images/taskbarSTARTERBLANK.png b/windows/deployment/update/images/taskbarSTARTERBLANK.png deleted file mode 100644 index e206bdc196..0000000000 Binary files a/windows/deployment/update/images/taskbarSTARTERBLANK.png and /dev/null differ diff --git a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png b/windows/deployment/update/images/temp-azure-portal-soltn-setting.png deleted file mode 100644 index 33175c7590..0000000000 Binary files a/windows/deployment/update/images/temp-azure-portal-soltn-setting.png and /dev/null differ diff --git a/windows/deployment/update/images/trust-package.png b/windows/deployment/update/images/trust-package.png deleted file mode 100644 index 8a293ea4da..0000000000 Binary files a/windows/deployment/update/images/trust-package.png and /dev/null differ diff --git a/windows/deployment/update/images/twain.png b/windows/deployment/update/images/twain.png deleted file mode 100644 index 53cd5eadc7..0000000000 Binary files a/windows/deployment/update/images/twain.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-adk-select-uev-feature.png b/windows/deployment/update/images/uev-adk-select-uev-feature.png deleted file mode 100644 index 1556f115c0..0000000000 Binary files a/windows/deployment/update/images/uev-adk-select-uev-feature.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-archdiagram.png b/windows/deployment/update/images/uev-archdiagram.png deleted file mode 100644 index eae098e666..0000000000 Binary files a/windows/deployment/update/images/uev-archdiagram.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-checklist-box.gif b/windows/deployment/update/images/uev-checklist-box.gif deleted file mode 100644 index 8af13c51d1..0000000000 Binary files a/windows/deployment/update/images/uev-checklist-box.gif and /dev/null differ diff --git a/windows/deployment/update/images/uev-deployment-preparation.png b/windows/deployment/update/images/uev-deployment-preparation.png deleted file mode 100644 index b665a0bfea..0000000000 Binary files a/windows/deployment/update/images/uev-deployment-preparation.png and /dev/null differ diff --git a/windows/deployment/update/images/uev-generator-process.png b/windows/deployment/update/images/uev-generator-process.png deleted file mode 100644 index e16cedd0a7..0000000000 Binary files a/windows/deployment/update/images/uev-generator-process.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-assessment.png b/windows/deployment/update/images/update-compliance-wdav-assessment.png deleted file mode 100644 index 266c5b7210..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-assessment.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-overview.png b/windows/deployment/update/images/update-compliance-wdav-overview.png deleted file mode 100644 index 977478fb74..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-overview.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-prot-status.png b/windows/deployment/update/images/update-compliance-wdav-prot-status.png deleted file mode 100644 index 2c6c355ca4..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-prot-status.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png b/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png deleted file mode 100644 index 733bfb6ae7..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-query-not-assessed.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png deleted file mode 100644 index d914960a7a..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-add-filter.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png b/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png deleted file mode 100644 index 7d8021b02e..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-filter-apply.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-filter.png b/windows/deployment/update/images/update-compliance-wdav-status-filter.png deleted file mode 100644 index cd500c2cb3..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-filter.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-log.png b/windows/deployment/update/images/update-compliance-wdav-status-log.png deleted file mode 100644 index 30e2e2352f..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-log.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-status-query.png b/windows/deployment/update/images/update-compliance-wdav-status-query.png deleted file mode 100644 index c7d1a436fe..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-status-query.png and /dev/null differ diff --git a/windows/deployment/update/images/update-compliance-wdav-threat-status.png b/windows/deployment/update/images/update-compliance-wdav-threat-status.png deleted file mode 100644 index ada9c09bbf..0000000000 Binary files a/windows/deployment/update/images/update-compliance-wdav-threat-status.png and /dev/null differ diff --git a/windows/deployment/update/images/upgrade-analytics-unsubscribe.png b/windows/deployment/update/images/upgrade-analytics-unsubscribe.png deleted file mode 100644 index 402db94d6f..0000000000 Binary files a/windows/deployment/update/images/upgrade-analytics-unsubscribe.png and /dev/null differ diff --git a/windows/deployment/update/images/video-snip.PNG b/windows/deployment/update/images/video-snip.PNG deleted file mode 100644 index 35317ee027..0000000000 Binary files a/windows/deployment/update/images/video-snip.PNG and /dev/null differ diff --git a/windows/deployment/update/images/w10servicing-f1-branches.png b/windows/deployment/update/images/w10servicing-f1-branches.png deleted file mode 100644 index ac4a549aed..0000000000 Binary files a/windows/deployment/update/images/w10servicing-f1-branches.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-auto-update-policy.PNG b/windows/deployment/update/images/waas-auto-update-policy.PNG deleted file mode 100644 index 52a1629cbf..0000000000 Binary files a/windows/deployment/update/images/waas-auto-update-policy.PNG and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig1.png b/windows/deployment/update/images/waas-do-fig1.png deleted file mode 100644 index 2a2b6872e9..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig2.png b/windows/deployment/update/images/waas-do-fig2.png deleted file mode 100644 index cc42b328eb..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig3.png b/windows/deployment/update/images/waas-do-fig3.png deleted file mode 100644 index d9182d3b20..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig3.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-do-fig4.png b/windows/deployment/update/images/waas-do-fig4.png deleted file mode 100644 index a66741ed90..0000000000 Binary files a/windows/deployment/update/images/waas-do-fig4.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-mcc-diag-overview.png b/windows/deployment/update/images/waas-mcc-diag-overview.png deleted file mode 100644 index bd5c4ee8d9..0000000000 Binary files a/windows/deployment/update/images/waas-mcc-diag-overview.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-overview-patch.png b/windows/deployment/update/images/waas-overview-patch.png deleted file mode 100644 index 6ac0a03227..0000000000 Binary files a/windows/deployment/update/images/waas-overview-patch.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-restart-policy.PNG b/windows/deployment/update/images/waas-restart-policy.PNG deleted file mode 100644 index 936f9aeb08..0000000000 Binary files a/windows/deployment/update/images/waas-restart-policy.PNG and /dev/null differ diff --git a/windows/deployment/update/images/waas-rings.png b/windows/deployment/update/images/waas-rings.png deleted file mode 100644 index 041a59ce87..0000000000 Binary files a/windows/deployment/update/images/waas-rings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig1.png b/windows/deployment/update/images/waas-sccm-fig1.png deleted file mode 100644 index 6bf2b1c621..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig10.png b/windows/deployment/update/images/waas-sccm-fig10.png deleted file mode 100644 index ad3b5c922f..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig10.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig11.png b/windows/deployment/update/images/waas-sccm-fig11.png deleted file mode 100644 index 6c4f905630..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig11.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig12.png b/windows/deployment/update/images/waas-sccm-fig12.png deleted file mode 100644 index 87464dd5f1..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig12.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig2.png b/windows/deployment/update/images/waas-sccm-fig2.png deleted file mode 100644 index c83e7bc781..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig3.png b/windows/deployment/update/images/waas-sccm-fig3.png deleted file mode 100644 index dcbc83b8ff..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig3.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig4.png b/windows/deployment/update/images/waas-sccm-fig4.png deleted file mode 100644 index 782c5ca6ef..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig4.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig5.png b/windows/deployment/update/images/waas-sccm-fig5.png deleted file mode 100644 index cb399a6c6f..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig5.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig6.png b/windows/deployment/update/images/waas-sccm-fig6.png deleted file mode 100644 index 77dd02d61e..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig6.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig7.png b/windows/deployment/update/images/waas-sccm-fig7.png deleted file mode 100644 index a74c7c8133..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig7.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig8.png b/windows/deployment/update/images/waas-sccm-fig8.png deleted file mode 100644 index 2dfaf75ddf..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig8.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-sccm-fig9.png b/windows/deployment/update/images/waas-sccm-fig9.png deleted file mode 100644 index 311d79dc94..0000000000 Binary files a/windows/deployment/update/images/waas-sccm-fig9.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-strategy-fig1a.png b/windows/deployment/update/images/waas-strategy-fig1a.png deleted file mode 100644 index 7a924c43bc..0000000000 Binary files a/windows/deployment/update/images/waas-strategy-fig1a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-classicaad.png b/windows/deployment/update/images/waas-wipfb-aad-classicaad.png deleted file mode 100644 index 424f4bca0a..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-classicaad.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-classicenable.png b/windows/deployment/update/images/waas-wipfb-aad-classicenable.png deleted file mode 100644 index 9cc78c2736..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-classicenable.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-consent.png b/windows/deployment/update/images/waas-wipfb-aad-consent.png deleted file mode 100644 index aeb78e5ddf..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-consent.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-error.png b/windows/deployment/update/images/waas-wipfb-aad-error.png deleted file mode 100644 index 83e6ca9974..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-error.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newaad.png b/windows/deployment/update/images/waas-wipfb-aad-newaad.png deleted file mode 100644 index 87a6f5e750..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newaad.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png b/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png deleted file mode 100644 index 9da18db5d1..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newdirectorybutton.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newenable.png b/windows/deployment/update/images/waas-wipfb-aad-newenable.png deleted file mode 100644 index f9bbe57b26..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newenable.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png b/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png deleted file mode 100644 index ab28da5cbc..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-aad-newusersettings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-accounts.png b/windows/deployment/update/images/waas-wipfb-accounts.png deleted file mode 100644 index 27387e3e7b..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-accounts.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-change-user.png b/windows/deployment/update/images/waas-wipfb-change-user.png deleted file mode 100644 index bf6fe39beb..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-change-user.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-policy1.png b/windows/deployment/update/images/waas-wipfb-policy1.png deleted file mode 100644 index 1fc89ecd2f..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-policy1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wipfb-work-account.jpg b/windows/deployment/update/images/waas-wipfb-work-account.jpg deleted file mode 100644 index 4b34385b18..0000000000 Binary files a/windows/deployment/update/images/waas-wipfb-work-account.jpg and /dev/null differ diff --git a/windows/deployment/update/images/waas-wsus-fig1.png b/windows/deployment/update/images/waas-wsus-fig1.png deleted file mode 100644 index 14bf35958a..0000000000 Binary files a/windows/deployment/update/images/waas-wsus-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wsus-fig2.png b/windows/deployment/update/images/waas-wsus-fig2.png deleted file mode 100644 index 167774a6c9..0000000000 Binary files a/windows/deployment/update/images/waas-wsus-fig2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-broad.png b/windows/deployment/update/images/waas-wufb-gp-broad.png deleted file mode 100644 index 92b71c8936..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-broad.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png b/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png deleted file mode 100644 index ae6ed4d856..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cb2-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cb2.png b/windows/deployment/update/images/waas-wufb-gp-cb2.png deleted file mode 100644 index 006a8c02d3..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cb2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png deleted file mode 100644 index c9e1029b8b..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cbb1-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png deleted file mode 100644 index e5aff1cc89..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cbb2-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png b/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png deleted file mode 100644 index 33a02165c6..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-cbb2q-settings.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-create.png b/windows/deployment/update/images/waas-wufb-gp-create.png deleted file mode 100644 index d74eec4b2e..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-create.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-edit-defer.png b/windows/deployment/update/images/waas-wufb-gp-edit-defer.png deleted file mode 100644 index c697b42ffd..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-edit-defer.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-edit.png b/windows/deployment/update/images/waas-wufb-gp-edit.png deleted file mode 100644 index 1b8d21a175..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-edit.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png b/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png deleted file mode 100644 index fcacdbea57..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-scope-cb2.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-gp-scope.png b/windows/deployment/update/images/waas-wufb-gp-scope.png deleted file mode 100644 index a04d8194df..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-gp-scope.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-cb2a.png b/windows/deployment/update/images/waas-wufb-intune-cb2a.png deleted file mode 100644 index 3e8c1ce19e..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-cb2a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-cbb1a.png b/windows/deployment/update/images/waas-wufb-intune-cbb1a.png deleted file mode 100644 index bc394fe563..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-cbb1a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-cbb2a.png b/windows/deployment/update/images/waas-wufb-intune-cbb2a.png deleted file mode 100644 index a980e0e43a..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-cbb2a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step11a.png b/windows/deployment/update/images/waas-wufb-intune-step11a.png deleted file mode 100644 index 7291484c93..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step11a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step19a.png b/windows/deployment/update/images/waas-wufb-intune-step19a.png deleted file mode 100644 index de132abd28..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step19a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step2a.png b/windows/deployment/update/images/waas-wufb-intune-step2a.png deleted file mode 100644 index 9a719b8fda..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step2a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-intune-step7a.png b/windows/deployment/update/images/waas-wufb-intune-step7a.png deleted file mode 100644 index daa96ba18c..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-intune-step7a.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-policy-pause.png b/windows/deployment/update/images/waas-wufb-policy-pause.png deleted file mode 100644 index b8ea2c8df9..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-policy-pause.png and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-settings-defer.jpg b/windows/deployment/update/images/waas-wufb-settings-defer.jpg deleted file mode 100644 index 5e6c58a101..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-settings-defer.jpg and /dev/null differ diff --git a/windows/deployment/update/images/waas-wufb-update-compliance.png b/windows/deployment/update/images/waas-wufb-update-compliance.png deleted file mode 100644 index 0c1bbaea7c..0000000000 Binary files a/windows/deployment/update/images/waas-wufb-update-compliance.png and /dev/null differ diff --git a/windows/deployment/update/images/who-owns-pc.png b/windows/deployment/update/images/who-owns-pc.png deleted file mode 100644 index d3ce1def8d..0000000000 Binary files a/windows/deployment/update/images/who-owns-pc.png and /dev/null differ diff --git a/windows/deployment/update/images/wifisense-grouppolicy.png b/windows/deployment/update/images/wifisense-grouppolicy.png deleted file mode 100644 index 1142d834bd..0000000000 Binary files a/windows/deployment/update/images/wifisense-grouppolicy.png and /dev/null differ diff --git a/windows/deployment/update/images/wifisense-registry.png b/windows/deployment/update/images/wifisense-registry.png deleted file mode 100644 index cbb1fa8347..0000000000 Binary files a/windows/deployment/update/images/wifisense-registry.png and /dev/null differ diff --git a/windows/deployment/update/images/wifisense-settingscreens.png b/windows/deployment/update/images/wifisense-settingscreens.png deleted file mode 100644 index cbb6903177..0000000000 Binary files a/windows/deployment/update/images/wifisense-settingscreens.png and /dev/null differ diff --git a/windows/deployment/update/images/win10-mobile-mdm-fig1.png b/windows/deployment/update/images/win10-mobile-mdm-fig1.png deleted file mode 100644 index 6ddac1df99..0000000000 Binary files a/windows/deployment/update/images/win10-mobile-mdm-fig1.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png b/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png deleted file mode 100644 index e4dc76b44f..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig2-featureupgrade.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig3.png b/windows/deployment/update/images/win10servicing-fig3.png deleted file mode 100644 index 688f92b173..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig3.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png b/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png deleted file mode 100644 index 961c8bebe2..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig4-upgradereleases.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig5.png b/windows/deployment/update/images/win10servicing-fig5.png deleted file mode 100644 index dc4b2fc5b2..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig5.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig6.png b/windows/deployment/update/images/win10servicing-fig6.png deleted file mode 100644 index 4cdc5f9c6f..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig6.png and /dev/null differ diff --git a/windows/deployment/update/images/win10servicing-fig7.png b/windows/deployment/update/images/win10servicing-fig7.png deleted file mode 100644 index 0a9a851449..0000000000 Binary files a/windows/deployment/update/images/win10servicing-fig7.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png b/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png deleted file mode 100644 index 6121e93832..0000000000 Binary files a/windows/deployment/update/images/windows-10-management-cyod-byod-flow.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-10-management-gp-intune-flow.png b/windows/deployment/update/images/windows-10-management-gp-intune-flow.png deleted file mode 100644 index c9e3f2ea31..0000000000 Binary files a/windows/deployment/update/images/windows-10-management-gp-intune-flow.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-10-management-range-of-options.png b/windows/deployment/update/images/windows-10-management-range-of-options.png deleted file mode 100644 index e4de546709..0000000000 Binary files a/windows/deployment/update/images/windows-10-management-range-of-options.png and /dev/null differ diff --git a/windows/deployment/update/images/windows-update-workflow.png b/windows/deployment/update/images/windows-update-workflow.png deleted file mode 100644 index e597eaec2a..0000000000 Binary files a/windows/deployment/update/images/windows-update-workflow.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-distribute.png b/windows/deployment/update/images/wsfb-distribute.png deleted file mode 100644 index d0482f6ebe..0000000000 Binary files a/windows/deployment/update/images/wsfb-distribute.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-firstrun.png b/windows/deployment/update/images/wsfb-firstrun.png deleted file mode 100644 index 2673567a1e..0000000000 Binary files a/windows/deployment/update/images/wsfb-firstrun.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-inventory-viewlicense.png b/windows/deployment/update/images/wsfb-inventory-viewlicense.png deleted file mode 100644 index 9fafad1aff..0000000000 Binary files a/windows/deployment/update/images/wsfb-inventory-viewlicense.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-inventory.png b/windows/deployment/update/images/wsfb-inventory.png deleted file mode 100644 index b060fb30e4..0000000000 Binary files a/windows/deployment/update/images/wsfb-inventory.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png b/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png deleted file mode 100644 index bb1152e35b..0000000000 Binary files a/windows/deployment/update/images/wsfb-inventoryaddprivatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-landing.png b/windows/deployment/update/images/wsfb-landing.png deleted file mode 100644 index beae0b52af..0000000000 Binary files a/windows/deployment/update/images/wsfb-landing.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-licenseassign.png b/windows/deployment/update/images/wsfb-licenseassign.png deleted file mode 100644 index 5904abb3b9..0000000000 Binary files a/windows/deployment/update/images/wsfb-licenseassign.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-licensedetails.png b/windows/deployment/update/images/wsfb-licensedetails.png deleted file mode 100644 index 53e0f5c935..0000000000 Binary files a/windows/deployment/update/images/wsfb-licensedetails.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-licensereclaim.png b/windows/deployment/update/images/wsfb-licensereclaim.png deleted file mode 100644 index 9f94cd3600..0000000000 Binary files a/windows/deployment/update/images/wsfb-licensereclaim.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-manageinventory.png b/windows/deployment/update/images/wsfb-manageinventory.png deleted file mode 100644 index 9a544ddc21..0000000000 Binary files a/windows/deployment/update/images/wsfb-manageinventory.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-offline-distribute-mdm.png b/windows/deployment/update/images/wsfb-offline-distribute-mdm.png deleted file mode 100644 index ec0e77a9a9..0000000000 Binary files a/windows/deployment/update/images/wsfb-offline-distribute-mdm.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-1.png b/windows/deployment/update/images/wsfb-onboard-1.png deleted file mode 100644 index 012e91a845..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-1.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-2.png b/windows/deployment/update/images/wsfb-onboard-2.png deleted file mode 100644 index 2ff98fb1f7..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-2.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-3.png b/windows/deployment/update/images/wsfb-onboard-3.png deleted file mode 100644 index ed9a61d353..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-3.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-4.png b/windows/deployment/update/images/wsfb-onboard-4.png deleted file mode 100644 index d99185ddc6..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-4.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-5.png b/windows/deployment/update/images/wsfb-onboard-5.png deleted file mode 100644 index 68049f4425..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-5.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-onboard-7.png b/windows/deployment/update/images/wsfb-onboard-7.png deleted file mode 100644 index 38b7348b21..0000000000 Binary files a/windows/deployment/update/images/wsfb-onboard-7.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-online-distribute-mdm.png b/windows/deployment/update/images/wsfb-online-distribute-mdm.png deleted file mode 100644 index 4b0f7cbf3a..0000000000 Binary files a/windows/deployment/update/images/wsfb-online-distribute-mdm.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-paid-app-temp.png b/windows/deployment/update/images/wsfb-paid-app-temp.png deleted file mode 100644 index 89e3857d07..0000000000 Binary files a/windows/deployment/update/images/wsfb-paid-app-temp.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-permissions-assignrole.png b/windows/deployment/update/images/wsfb-permissions-assignrole.png deleted file mode 100644 index de2e1785ba..0000000000 Binary files a/windows/deployment/update/images/wsfb-permissions-assignrole.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-private-store-gpo.PNG b/windows/deployment/update/images/wsfb-private-store-gpo.PNG deleted file mode 100644 index 5e7fe44ec2..0000000000 Binary files a/windows/deployment/update/images/wsfb-private-store-gpo.PNG and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-privatestore.png b/windows/deployment/update/images/wsfb-privatestore.png deleted file mode 100644 index 74c9f1690d..0000000000 Binary files a/windows/deployment/update/images/wsfb-privatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-privatestoreapps.png b/windows/deployment/update/images/wsfb-privatestoreapps.png deleted file mode 100644 index 1ddb543796..0000000000 Binary files a/windows/deployment/update/images/wsfb-privatestoreapps.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-renameprivatestore.png b/windows/deployment/update/images/wsfb-renameprivatestore.png deleted file mode 100644 index c6db282581..0000000000 Binary files a/windows/deployment/update/images/wsfb-renameprivatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-settings-mgmt.png b/windows/deployment/update/images/wsfb-settings-mgmt.png deleted file mode 100644 index 2a7b590d19..0000000000 Binary files a/windows/deployment/update/images/wsfb-settings-mgmt.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-settings-permissions.png b/windows/deployment/update/images/wsfb-settings-permissions.png deleted file mode 100644 index 63d04d270b..0000000000 Binary files a/windows/deployment/update/images/wsfb-settings-permissions.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappaddacct.png b/windows/deployment/update/images/wsfb-wsappaddacct.png deleted file mode 100644 index 5c0bd9a4ce..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappaddacct.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappprivatestore.png b/windows/deployment/update/images/wsfb-wsappprivatestore.png deleted file mode 100644 index 9c29e7604c..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappprivatestore.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappsignin.png b/windows/deployment/update/images/wsfb-wsappsignin.png deleted file mode 100644 index c2c2631a94..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappsignin.png and /dev/null differ diff --git a/windows/deployment/update/images/wsfb-wsappworkacct.png b/windows/deployment/update/images/wsfb-wsappworkacct.png deleted file mode 100644 index 5eb9035124..0000000000 Binary files a/windows/deployment/update/images/wsfb-wsappworkacct.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-do.png b/windows/deployment/update/images/wufb-do.png deleted file mode 100644 index 8d6c9d0b8a..0000000000 Binary files a/windows/deployment/update/images/wufb-do.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-engaged-notification.png b/windows/deployment/update/images/wufb-feature-engaged-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-engaged-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-notification.png b/windows/deployment/update/images/wufb-feature-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-update-deadline-notification.png b/windows/deployment/update/images/wufb-feature-update-deadline-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-update-deadline-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-feature-update-engaged-notification.png b/windows/deployment/update/images/wufb-feature-update-engaged-notification.png deleted file mode 100644 index 6173803a90..0000000000 Binary files a/windows/deployment/update/images/wufb-feature-update-engaged-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-groups.png b/windows/deployment/update/images/wufb-groups.png deleted file mode 100644 index 13cdea04b0..0000000000 Binary files a/windows/deployment/update/images/wufb-groups.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-pause-feature.png b/windows/deployment/update/images/wufb-pause-feature.png deleted file mode 100644 index afeac43e29..0000000000 Binary files a/windows/deployment/update/images/wufb-pause-feature.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-qual.png b/windows/deployment/update/images/wufb-qual.png deleted file mode 100644 index 4a93408522..0000000000 Binary files a/windows/deployment/update/images/wufb-qual.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-quality-engaged-notification.png b/windows/deployment/update/images/wufb-quality-engaged-notification.png deleted file mode 100644 index 432f9f89b7..0000000000 Binary files a/windows/deployment/update/images/wufb-quality-engaged-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-quality-notification.png b/windows/deployment/update/images/wufb-quality-notification.png deleted file mode 100644 index 0e3bd19e61..0000000000 Binary files a/windows/deployment/update/images/wufb-quality-notification.png and /dev/null differ diff --git a/windows/deployment/update/images/wufb-wave-deployment.png b/windows/deployment/update/images/wufb-wave-deployment.png deleted file mode 100644 index 34ff0bf6cf..0000000000 Binary files a/windows/deployment/update/images/wufb-wave-deployment.png and /dev/null differ diff --git a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md index b132951a59..342b6d4210 100644 --- a/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md +++ b/windows/deployment/update/includes/wufb-reports-admin-center-permissions.md @@ -5,25 +5,42 @@ manager: aaroncz ms.technology: itpro-updates ms.prod: windows-client ms.topic: include -ms.date: 03/15/2023 +ms.date: 04/26/2023 ms.localizationpriority: medium --- +Accessing Windows Update for Business reports typcially requires permissions from multiple sources including: -To enroll into Windows Update for Business reports, edit configuration settings, display and edit the workbook, and view the **Windows** tab in the **Software Updates** page from the [Microsoft 365 admin center](https://admin.microsoft.com) use one of the following roles: +- [Azure Active Directory (Azure AD)](/azure/active-directory/roles/custom-overview) or [Intune](/mem/intune/fundamentals/role-based-access-control): Used for managing Windows Update for Business services through Microsoft Graph API, such as enrolling into reports +- [Azure](/azure/role-based-access-control/overview): Used for controlling access to Azure resources through Azure Resource Management, such as access to the Log Analytics workspace +- [Microsoft 365 admin center](/microsoft-365/admin/add-users/about-admin-roles): Manages access to the Microsoft 365 admin center, which allows only users with certain Azure AD roles access to sign in -- [Global Administrator role](/azure/active-directory/roles/permissions-reference#global-administrator) -- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) -- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) - - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center -- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Intune role - - This role allows enrollment through the [workbook](../wufb-reports-enable.md#bkmk_enroll-workbook) but doesn't allow any access to the Microsoft 365 admin center +**Roles that can enroll into Windows Update for Business reports** -To display the workbook and view the **Windows** tab in the **Software Updates** page [Microsoft 365 admin center](https://admin.microsoft.com) use the following role: - - [Global Reader role](/azure/active-directory/roles/permissions-reference#global-reader) +To [enroll](../wufb-reports-enable.md#bkmk_enroll) into Windows Update for Business reports from the [Azure portal](https://portal.azure.com) or the [Microsoft 365 admin center](https://admin.microsoft.com) requires one of the following roles: -**Log Analytics permissions**: +- [Global Administrator](/azure/active-directory/roles/permissions-reference#global-administrator) Azure AD role +- [Intune Administrator](/azure/active-directory/roles/permissions-reference#intune-administrator) Azure AD role +- [Windows Update deployment administrator](/azure/active-directory/roles/permissions-reference#windows-update-deployment-administrator) Azure AD role +- [Policy and profile manager](/mem/intune/fundamentals/role-based-access-control#built-in-roles) Microsoft Intune role + - Microsoft Intune RBAC roles don't allow access to the Microsoft 365 admin center + +**Azure roles that allow access to the Log Analytics workspace** + +The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query any of Windows Update for Business reports data, users must have the following roles, or the equivalent permissions for the workspace: -The data for Windows Update for Business reports is routed to a Log Analytics workspace for querying and analysis. To display or query data, users must have one of the following roles, or the equivalent permissions: -- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used to edit and write queries - [Log Analytics Reader](/azure/role-based-access-control/built-in-roles#log-analytics-reader) role can be used to read data +- [Log Analytics Contributor](/azure/role-based-access-control/built-in-roles#log-analytics-contributor) role can be used if creating a new workspace or write access is needed + +Examples of commonly assigned roles for Windows Update for Business reports users: + +| Roles | Enroll though the workbook | Enroll through Microsoft 365 admin center | Display the workbook | Microsoft 365 admin center access | Create Log Analytics workspace | +| --- | --- | --- | --- | --- | --- | +| Intune Administrator + Log Analytics Contributor | Yes | Yes | Yes | Yes | Yes | +| Windows Update deployment administrator + Log Analytics reader | Yes | Yes | Yes | Yes| No | +| Policy and profile manager (Intune role)+ Log Analytics reader | Yes | No | Yes | No | No | +| Log Analytics reader | No | No | Yes | No | No| +| [Global reader](/azure/active-directory/roles/permissions-reference#global-reader) + Log Analytics reader | No | No | Yes | Yes | No | + +> [!NOTE] +> The Azure AD roles discussed in this article for the Microsoft 365 admin center access apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). diff --git a/windows/deployment/update/includes/wufb-reports-recommend.md b/windows/deployment/update/includes/wufb-reports-recommend.md index 37caa47a4d..afd3f56219 100644 --- a/windows/deployment/update/includes/wufb-reports-recommend.md +++ b/windows/deployment/update/includes/wufb-reports-recommend.md @@ -11,5 +11,4 @@ ms.localizationpriority: medium > [!Important] -> - Update Compliance is [deprecated](/windows/whats-new/deprecated-features) and is no longer accepting new onboarding requests. Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). If you're currently using Update Compliance, you can continue to use it, but you can't change your `CommercialID`. Support for Update Compliance will end on March 31, 2023 when the service will be [retired](/windows/whats-new/feature-lifecycle#terminology). -> - Changes have been made to the Windows diagnostic data processor configuration. For more information, see [Windows diagnostic data processor changes](/windows/privacy/changes-to-windows-diagnostic-data-collection#services-that-rely-on-enhanced-diagnostic-data). +> Update Compliance was [retired](/windows/whats-new/feature-lifecycle#terminology) on March 31, 2023 and the service has been [removed](/windows/whats-new/removed-features). Update Compliance has been replaced by [Windows Update for Business reports](..\wufb-reports-overview.md). Support for Update Compliance ended on March 31, 2023. diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index bd19b56970..c1312b6132 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -77,6 +77,7 @@ This table shows the correct sequence for applying the various tasks to the file |Add Safe OS Dynamic Update | 6 | | | |Add Setup Dynamic Update | | | | 26 |Add setup.exe from WinPE | | | | 27 +|Add boot manager from WinPE | | | | 28 |Add latest cumulative update | | 15 | 21 | |Clean up the image | 7 | 16 | 22 | |Add Optional Components | | | 23 | @@ -300,7 +301,7 @@ Move-Item -Path $WORKING_PATH"\winre2.wim" -Destination $WORKING_PATH"\winre.wim ### Update WinPE -This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. Finally, it cleans and exports Boot.wim, and copies it back to the new media. +This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, it adds font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. For the second image, we'll save setup.exe for later use, to ensure this version matches the \sources\setup.exe version from the installation media. If these binaries are not identical, Windows Setup will fail during installation. We'll also save the serviced boot manager files for later use in the script. Finally, the script cleans and exports Boot.wim, and copies it back to the new media. ```powershell # @@ -416,9 +417,15 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Write-Output "$(Get-TS): Performing image cleanup on WinPE" DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null - # If second image, save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder if ($IMAGE.ImageIndex -eq "2") { + + # Save setup.exe for later use. This will address possible binary mismatch with the version in the main OS \sources folder Copy-Item -Path $WINPE_MOUNT"\sources\setup.exe" -Destination $WORKING_PATH"\setup.exe" -Force -ErrorAction stop | Out-Null + + # Save serviced boot manager files later copy to the root media. + Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgfw.efi" -Destination $WORKING_PATH"\bootmgfw.efi" -Force -ErrorAction stop | Out-Null + Copy-Item -Path $WINPE_MOUNT"\Windows\boot\efi\bootmgr.efi" -Destination $WORKING_PATH"\bootmgr.efi" -Force -ErrorAction stop | Out-Null + } # Dismount @@ -532,7 +539,7 @@ Move-Item -Path $WORKING_PATH"\install2.wim" -Destination $MEDIA_NEW_PATH"\sourc ### Update remaining media files -This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe using the previously saved version from WinPE. +This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings in updated Setup files as needed, along with the latest compatibility database, and replacement component manifests. This script also does a final replacement of setup.exe and boot manager files using the previously saved versions from WinPE. ```powershell # @@ -544,8 +551,29 @@ Write-Output "$(Get-TS): Adding package $SETUP_DU_PATH" cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null # Copy setup.exe from boot.wim, saved earlier. +Write-Output "$(Get-TS): Copying $WORKING_PATH\setup.exe to $MEDIA_NEW_PATH\sources\setup.exe" Copy-Item -Path $WORKING_PATH"\setup.exe" -Destination $MEDIA_NEW_PATH"\sources\setup.exe" -Force -ErrorAction stop | Out-Null + +# Copy bootmgr files from boot.wim, saved earlier. +$MEDIA_NEW_FILES = Get-ChildItem $MEDIA_NEW_PATH -Force -Recurse -Filter b*.efi + +Foreach ($File in $MEDIA_NEW_FILES){ + if (($File.Name -ieq "bootmgfw.efi") -or ` + ($File.Name -ieq "bootx64.efi") -or ` + ($File.Name -ieq "bootia32.efi") -or ` + ($File.Name -ieq "bootaa64.efi")) + { + Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgfw.efi to $($File.FullName)" + Copy-Item -Path $WORKING_PATH"\bootmgfw.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null + } + elseif ($File.Name -ieq "bootmgr.efi") + { + Write-Output "$(Get-TS): Copying $WORKING_PATH\bootmgr.efi to $($File.FullName)" + Copy-Item -Path $WORKING_PATH"\bootmgr.efi" -Destination $File.FullName -Force -ErrorAction stop | Out-Null + } +} + ``` ### Finish up diff --git a/windows/deployment/update/olympia/images/1-1.png b/windows/deployment/update/olympia/images/1-1.png deleted file mode 100644 index ee06527529..0000000000 Binary files a/windows/deployment/update/olympia/images/1-1.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/1-3.png b/windows/deployment/update/olympia/images/1-3.png deleted file mode 100644 index 807e895aa5..0000000000 Binary files a/windows/deployment/update/olympia/images/1-3.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/1-4.png b/windows/deployment/update/olympia/images/1-4.png deleted file mode 100644 index 3e63d1c078..0000000000 Binary files a/windows/deployment/update/olympia/images/1-4.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/2-3.png b/windows/deployment/update/olympia/images/2-3.png deleted file mode 100644 index 7006da4179..0000000000 Binary files a/windows/deployment/update/olympia/images/2-3.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/2-4.png b/windows/deployment/update/olympia/images/2-4.png deleted file mode 100644 index 677679a000..0000000000 Binary files a/windows/deployment/update/olympia/images/2-4.png and /dev/null differ diff --git a/windows/deployment/update/olympia/images/2-5.png b/windows/deployment/update/olympia/images/2-5.png deleted file mode 100644 index cfec6f7ce0..0000000000 Binary files a/windows/deployment/update/olympia/images/2-5.png and /dev/null differ diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 2cd4b2f59a..8d6b9f249b 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -8,7 +8,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Manually Configuring Devices for Update Compliance diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index aab7607865..7f4c13868a 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -8,7 +8,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Configuring Microsoft Intune devices for Update Compliance diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 2e2c5100e7..567ff4f6f1 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 06/16/2022 +ms.date: 04/01/2023 ms.technology: itpro-updates --- diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 37aad4dc7a..6c6fe09823 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -8,7 +8,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Delivery Optimization in Update Compliance diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 51a728c4c8..94fffb85ab 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Feature Update Status diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 251aa25370..d5167f79ad 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -10,7 +10,7 @@ ms.collection: - highpri - tier2 ms.topic: article -ms.date: 05/03/2022 +ms.date: 04/01/2023 ms.technology: itpro-updates --- diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 323cc9207e..4a047e610a 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -8,7 +8,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Monitor Windows Updates with Update Compliance diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index 2dcb66b2bf..51212b396d 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -7,7 +7,7 @@ ms.author: mstewart ms.topic: article ms.prod: windows-client ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Needs attention! @@ -22,7 +22,7 @@ ms.date: 12/31/2017 ![Needs attention section.](images/UC_workspace_needs_attention.png) -The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. +The **Needs attention!** section provides a breakdown of all Windows client device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within breakdown the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but don't fit within any other main section. > [!NOTE] > The summary tile counts the number of devices that have issues, while the blades within the section break down the issues encountered. A single device can have more than one issue, so these numbers might not add up. @@ -32,15 +32,15 @@ The different issues are broken down by Device Issues and Update Issues: ## Device Issues * **Missing multiple security updates:** This issue occurs when a device is behind by two or more security updates. These devices might be more vulnerable and should be investigated and updated. -* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it is running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client. +* **Out of support OS Version:** This issue occurs when a device has fallen out of support due to the version of Windows client it's running. When a device has fallen out of support, it will no longer receive important security updates, and might be vulnerable. These devices should be updated to a supported version of Windows client. ## Update Issues * **Failed:** This issue occurs when an error halts the process of downloading and applying an update on a device. Some of these errors might be transient, but should be investigated further to be sure. -* **Cancelled**: This issue occurs when a user cancels the update process. +* **Canceled**: This issue occurs when a user cancels the update process. * **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. -* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days. +* **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. This might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. +* **Progress stalled:** This issue occurs when an update is in progress, but hasn't completed over a period of 7 days. Selecting any of the issues will take you to a [Log Analytics](/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. @@ -49,4 +49,4 @@ Selecting any of the issues will take you to a [Log Analytics](/azure/log-analyt ## List of Queries -The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that did not fit within any specific section or were listed to serve as a good starting point for modification into custom queries. +The **List of Queries** blade is in the **Needs Attention** section of Update Compliance. This blade contains a list of queries with a description and a link to the query. These queries contain important meta-information that didn't fit within any specific section or were listed to serve as a good starting point for modification into custom queries. diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index c99c4f7dc8..345802748b 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Privacy in Update Compliance diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md index 071e0da12f..f74ace76b9 100644 --- a/windows/deployment/update/update-compliance-safeguard-holds.md +++ b/windows/deployment/update/update-compliance-safeguard-holds.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Safeguard Holds diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index 125d1a6de3..07a33a985c 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # WaaSDeploymentStatus diff --git a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md index 9e8a73b355..0db7e2035a 100644 --- a/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasinsiderstatus.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # WaaSInsiderStatus diff --git a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md index 3a83aad3f6..6f885bf11a 100644 --- a/windows/deployment/update/update-compliance-schema-waasupdatestatus.md +++ b/windows/deployment/update/update-compliance-schema-waasupdatestatus.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # WaaSUpdateStatus diff --git a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md index a16ae4d5a3..901babfe34 100644 --- a/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md +++ b/windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # WUDOAggregatedStatus diff --git a/windows/deployment/update/update-compliance-schema-wudostatus.md b/windows/deployment/update/update-compliance-schema-wudostatus.md index 60ae8e5991..3cd9bfa64f 100644 --- a/windows/deployment/update/update-compliance-schema-wudostatus.md +++ b/windows/deployment/update/update-compliance-schema-wudostatus.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # WUDOStatus diff --git a/windows/deployment/update/update-compliance-schema.md b/windows/deployment/update/update-compliance-schema.md index 5c760ad6d0..163144290a 100644 --- a/windows/deployment/update/update-compliance-schema.md +++ b/windows/deployment/update/update-compliance-schema.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Update Compliance Schema diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md index 829e562eba..874e7b6ff9 100644 --- a/windows/deployment/update/update-compliance-security-update-status.md +++ b/windows/deployment/update/update-compliance-security-update-status.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Security Update Status diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index a8eb872ebf..4220a931ba 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -8,7 +8,7 @@ ms.author: mstewart ms.localizationpriority: medium ms.topic: article ms.technology: itpro-updates -ms.date: 12/31/2017 +ms.date: 04/01/2023 --- # Use Update Compliance diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index abf55e970a..2b2f4074ec 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -221,7 +221,7 @@ The features that are turned off by default from servicing updates will be enabl | Policy | Sets registry key under HKLM\Software | | --- | --- | -| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\ExcludeWUDriversInQualityUpdate | +| GPO for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
    Computer Configuration > Administrative Templates > Windows Components > Windows Update > Manage end user experience > **Enable features introduced via servicing that are off by default**| \Policies\Microsoft\Windows\WindowsUpdate\AllowTemporaryEnterpriseFeatureControl | | MDM for Windows 11, version 22H2 with [kb5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
    ../Vendor/MSFT/Policy/Config/Update/
    **[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)** | \Microsoft\PolicyManager\default\Update\AllowTemporaryEnterpriseFeatureControl | diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md index 1b6ef429f8..82f1a7f953 100644 --- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md @@ -48,10 +48,10 @@ The General Availability Channel is the default servicing channel for all Window To get started with the Windows Insider Program for Business, follows these steps: -1. On the [Windows Insider](https://insider.windows.com) website, go to **For Business > Getting Started** to [register your organizational Azure AD account](https://insider.windows.com/insidersigninaad/). -2. **Register your domain**. Rather than have each user register individually for Insider Preview builds, administrators can [register their domain](https://insider.windows.com/for-business-organization-admin/) and control settings centrally.
    **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register the domain. +1. On the [Windows Insider](https://www.microsoft.com/windowsinsider/for-business) website, select **Register** to register your organizational Azure AD account. +2. Follow the prompts to register your tenant.
    **Note:** The signed-in user needs to be a **Global Administrator** of the Azure AD domain in order to be able to register. 3. Make sure the **Allow Telemetry** setting is set to **2** or higher. -4. For Windows 10, version 1709 or later, set policies to manage preview builds and their delivery: +4. For Windows devices, set policies to manage preview builds and their delivery: The **Manage preview builds** setting gives administrators control over enabling or disabling preview build installation on a device. You can also decide to stop preview builds once the release is public. * Group Policy: **Computer Configuration/Administrative Templates/Windows Components/Windows Update/Windows Update for Business** - *Manage preview builds* diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index dd358bb8a2..0c088b2aee 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -11,7 +11,7 @@ ms.collection: - highpri - tier2 ms.technology: itpro-updates -ms.date: 03/09/2023 +ms.date: 04/25/2023 --- # Manage additional Windows Update settings @@ -35,6 +35,8 @@ You can use Group Policy settings or mobile device management (MDM) to configure | [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 | | [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All | | | [Windows Update notifications display organization name](#display-organization-name-in-windows-update-notifications)

    *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered | +| | [Allow Windows updates to install before initial user sign-in](#allow-windows-updates-to-install-before-initial-user-sign-in) (registry only)| Windows 11 version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update | + >[!IMPORTANT] >Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**. @@ -47,7 +49,7 @@ Admins have a lot of flexibility in configuring how their devices scan and recei [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates. -You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location). +You can make custom device groups that will work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that weren't signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location). Finally, to make sure the updating experience is fully controlled by the admins, you can [Remove access to use all Windows Update features](#remove-access-to-use-all-windows-update-features) for users. @@ -61,10 +63,10 @@ This setting lets you specify a server on your network to function as an interna To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don't have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. -If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. +If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. The alternate download server configures the Windows Update Agent to download files from an alternative download server instead of the intranet update service. -The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate download server. +The option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update service doesn't provide download Urls in the update metadata for files that are present on the alternate download server. >[!NOTE] >If the "Configure Automatic Updates" policy is disabled, then this policy has no effect. @@ -109,7 +111,7 @@ Use **Computer Configuration\Administrative Templates\Windows Components\Windows Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. This allows admins to configure device groups that will receive different updates from sources like WSUS or Configuration Manager. This Group Policy setting can be found under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Enable client-side targeting**. -If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service which uses it to determine which updates should be deployed to this computer. +If the setting is set to **Enabled**, the specified target group information is sent to the intranet Microsoft update service, which uses it to determine which updates should be deployed to this computer. If the setting is set to **Disabled** or **Not Configured**, no target group information will be sent to the intranet Microsoft update service. If the intranet Microsoft update service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified. @@ -123,8 +125,8 @@ This policy setting allows you to manage whether Automatic Updates accepts updat To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**. -If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. -If you disable or do not configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. +If you enable this policy setting, Automatic Updates accepts updates received through an intranet Microsoft update service location, as specified by [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location), if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. +If you disable or don't configure this policy setting, updates from an intranet Microsoft update service location must be signed by Microsoft. >[!NOTE] >Updates from a service other than an intranet Microsoft update service must always be signed by Microsoft and are not affected by this policy setting. @@ -136,7 +138,7 @@ To configure this policy with MDM, use [AllowNonMicrosoftSignedUpdate](/windows/ To add more flexibility to the update process, settings are available to control update installation. -[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers are not installed with the rest of the received updates. +[Configure Automatic Updates](#configure-automatic-updates) offers four different options for automatic update installation, while [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) makes sure drivers aren't installed with the rest of the received updates. ### Do not include drivers with Windows Updates @@ -144,7 +146,7 @@ Allows admins to exclude Windows Update drivers during updates. To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**. Enable this policy to not include drivers with Windows quality updates. -If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. +If you disable or don't configure this policy, Windows Update will include updates that have a Driver classification. ### Configure Automatic Updates @@ -156,13 +158,13 @@ Under **Computer Configuration\Administrative Templates\Windows Components\Windo **2 - Notify for download and auto install** - When Windows finds updates that apply to this device, users will be notified that updates are ready to be downloaded. After going to **Settings > Update & security > Windows Update**, users can download and install any available updates. -**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user is not notified or interrupted during this process). When the downloads are complete, users will be notified that they are ready to install. After going to **Settings > Update & security > Windows Update**, users can install them. +**3 - Auto download and notify for Install** - Windows finds updates that apply to the device and downloads them in the background (the user isn't notified or interrupted during this process). When the downloads are complete, users will be notified that they're ready to install. After going to **Settings > Update & security > Windows Update**, users can install them. **4 - Auto download and schedule the install** - Specify the schedule using the options in the Group Policy Setting. For more information about this setting, see [Schedule update installation](waas-restart.md#schedule-update-installation). -**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators will not be allowed to disable the configuration for Automatic Updates. This option is not available in any Windows 10 or later versions. +**5 - Allow local admin to choose setting** - With this option, local administrators will be allowed to use the settings app to select a configuration option of their choice. Local administrators won't be allowed to disable the configuration for Automatic Updates. This option isn't available in any Windows 10 or later versions. -**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they will be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. +**7 - Notify for install and notify for restart** (Windows Server 2016 and later only) - With this option, when Windows finds updates that apply to this device, they'll be downloaded, then users will be notified that updates are ready to be installed. Once updates are installed, a notification will be displayed to users to restart the device. If this setting is set to **Disabled**, any updates that are available on Windows Update must be downloaded and installed manually. To do this, users must go to **Settings > Update & security > Windows Update**. @@ -173,7 +175,7 @@ If this setting is set to **Not Configured**, an administrator can still configu > [!NOTE] > Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require you to reinstall the operating system. Microsoft cannot guarantee that these problems can be resolved. Modify the registry at your own risk. -In an environment that does not have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update. +In an environment that doesn't have Active Directory deployed, you can edit registry settings to configure group policies for Automatic Update. To do this, follow these steps: @@ -203,7 +205,7 @@ To do this, follow these steps: * **4**: Automatically download and scheduled installation. - * **5**: Allow local admin to select the configuration mode. This option is not available for Windows 10 or later versions. + * **5**: Allow local admin to select the configuration mode. This option isn't available for Windows 10 or later versions. * **7**: Notify for install and notify for restart. (Windows Server 2016 and later only) @@ -230,7 +232,7 @@ To do this, follow these steps: * NoAutoRebootWithLoggedOnUsers (REG_DWORD): - **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on. + **0** (false) or **1** (true). If set to **1**, Automatic Updates doesn't automatically restart a computer while users are logged on. > [!NOTE] > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. @@ -264,7 +266,7 @@ The organization name appears automatically for Windows 11 clients that are asso To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry: - **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations` - - **DWORD value name**: UsoDisableAADJAttribution + - **DWORD value name**: UsoDisableAADJAttribution - **Value data:** 1 The following PowerShell script is provided as an example to you: @@ -280,3 +282,17 @@ if (!(Test-Path $registryPath)) New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null ``` + +## Allow Windows updates to install before initial user sign-in +*(Starting in Windows 11, version 22H2 with 2023-04 Cumulative Update Preview, or a later cumulative update)* + +On new devices, Windows Update doesn't begin installing background updates until a user has completed the Out of Box Experience (OOBE) and signs in for the first time. In many cases, the user signs in immediately after completing the OOBE. However, some VM-based solutions provision a device and automate the first user experience. These VMs may not be immediately assigned to a user so they won't see an initial sign-in until several days later. + +In scenarios where initial sign-in is delayed, setting the following registry values allow devices to begin background update work before a user first signs in: + +- **Registry key**: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Orchestrator +- **DWORD value name**: ScanBeforeInitialLogonAllowed +- **Value data**: 1 + +> [!Warning] +> This value is designed to be used only for scenarios with a deferred initial user sign in. Setting this value on devices where initial user sign in isn't delayed could have a detrimental effect on performance since it may allow update work to occur as the user is signing in for the first time. diff --git a/windows/deployment/update/wufb-reports-admin-center.md b/windows/deployment/update/wufb-reports-admin-center.md index 0ba338dd97..8d7b1f616c 100644 --- a/windows/deployment/update/wufb-reports-admin-center.md +++ b/windows/deployment/update/wufb-reports-admin-center.md @@ -7,7 +7,7 @@ author: mestew ms.author: mstewart ms.localizationpriority: medium ms.topic: article -ms.date: 11/15/2022 +ms.date: 04/26/2023 ms.technology: itpro-updates --- @@ -25,20 +25,14 @@ The **Software updates** page has following tabs to assist you in monitoring upd :::image type="content" source="media/37063317-admin-center-software-updates.png" alt-text="Screenshot of the Microsoft 365 admin center displaying the software updates page with the Windows tab selected." lightbox="media/37063317-admin-center-software-updates.png"::: -## Permissions - - -[!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)] - -> [!NOTE] -> These permissions for the Microsoft 365 admin center apply specifically to the **Windows** tab of the **Software Updates** page. For more information about the **Microsoft 365 Apps** tab, see [Microsoft 365 Apps updates in the admin center](/DeployOffice/updates/software-update-status). - ## Limitations Windows Update for Business reports is a Windows service hosted in Azure that uses Windows diagnostic data. Windows Update for Business reports is available in the Azure Commercial cloud, but not available for GCC High or United States Department of Defense customers since it doesn't meet [US Government community compliance (GCC)](/office365/servicedescriptions/office-365-platform-service-description/office-365-us-government/gcc#us-government-community-compliance) requirements. For a list of GCC offerings for Microsoft products and services, see the [Microsoft Trust Center](/compliance/regulatory/offering-home). ## Get started +After verifying that you've met the [prerequisites and permissions](wufb-reports-prerequisites.md) for Windows Update for Business reports, enroll using the instructions below if needed: + [!INCLUDE [Onboarding Windows Update for Business reports through the Microsoft 365 admin center](./includes/wufb-reports-onboard-admin-center.md)] diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md new file mode 100644 index 0000000000..9c2455ffd2 --- /dev/null +++ b/windows/deployment/update/wufb-reports-do.md @@ -0,0 +1,169 @@ +--- +title: Delivery Optimization data in Windows Update for Business reports +manager: aaroncz +description: Provides information about Delivery Optimization data in Windows Update for Business reports +ms.prod: windows-client +author: mestew +ms.author: mstewart +ms.topic: article +ms.date: 04/12/2023 +ms.technology: itpro-updates +--- + +# Delivery Optimization data in Windows Update for Business reports + +***(Applies to: Windows 11 & Windows 10)*** + +[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement. + +Windows Update for Business reports provides Delivery Optimization information in the following places: +- The Windows Update for Business reports [workbook](wufb-reports-workbook.md) +- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) +- [UCDOStatus](wufb-reports-schema-ucdostatus.md) + +Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices. + +## Delivery Optimization terms + +Windows Update for Business reports uses the following Delivery Optimization terms: + +- **Peer**: A device in the solution +- **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes: + - LAN (1) + - Group (2) + - Internet (3) +- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes: + - HTTP Only (0) + - Simple Mode (99) + - Bypass (100), deprecated in Windows 11 +- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded. + - If bandwidth savings are <= 60%, a *Warning* icon is displayed + - When bandwidth savings are <10%, an *Error* icon is displayed. +- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface. +- **P2P Device Count**: The device count is the number of devices configured to use peering. +- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md). +- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types. +- **Total # of Devices**: The total number of devices with activity in last 28 days. +- **LAN Bytes**: Bytes delivered from LAN peers. +- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'. +- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN). +- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded. +- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded. +- **ISP**: ISP is determined based on the ISP delivering the maximum bytes to the device. + +## Calculations for Delivery Optimization + +There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it: + +**Efficiency (%) Calculations**: + +- Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) / +(BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache) + - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table +- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table +- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table + +**Bytes Calculations**: + +- TotalBytes = BytesFromCDN + BytesFromEnterpriseCache + BytesFromPeers + BytesFromGroupPeers + - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table +- BytesFromCDN = BytesFromCDN + - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table +- BytesFromPeers = BytesFromLAN + - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table +- BytesFromGroupPeers = BytesFromGroupPeers + - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table +- BytesFromCache = BytesFromCache + - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table + +**Volume Calculations**: + +- Volume by P2P = BytesFromPeers + BytesFromGroupPeers + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table +- Volume by MCC = BytesFromCache + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table +- Volume by CDN = BytesFrom CDN + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table + +## Mapping GroupID + +In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: + +```powershell +$text = "`0"; (the null-terminator (`0) must be included in the string hash) + +$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" +``` + +In addition, you can see both the encoded and decoded GroupIDs in the Delivery Optimization logs. + +```powershell +Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log +``` + +The below two lines are together in verbose logs: + +```text +2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **** +2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **** +``` + +## Sample queries + +You can use the data in [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) +and [UCDOStatus](wufb-reports-schema-ucdostatus.md) to create your own queries. Create your custom queries using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), but note that Windows Update for Business reports uses Azure Monitor, so some operators aren't supported. The KQL documentation specifies which operators aren't supported by Azure Monitor or if they have different functionality. For more information about KQL in Azure Monitor, see [Log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview). The following queries are examples of how you can use the data: + +### Example UCDOAggregatedStatus table query + +The following query is used to display the total bandwidth savings % value: + +```kusto +UCDOAggregatedStatus| where TimeGenerated == _SnapshotTime +| extend LocalSourceBytes = BytesFromCache + BytesFromGroupPeers + BytesFromPeers +| summarize LocalSources_BWSAV = round((sum(0.0 + LocalSourceBytes)/ sum(LocalSourceBytes+BytesFromCDN)) * 100.0 ,2) +| extend Title = "BW SAV%" , SubTitle = "Local Sources" +``` + +### Example UCDOStatus table query + +The following query is used to display the Top 10 GroupIDs: + +```kusto +UCDOStatus | where TimeGenerated == _SnapshotTime +| summarize sum(BytesFromCDN) , sum(BytesFromGroupPeers) , sum(BytesFromPeers) , sum(BytesFromCache) , +DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc +| extend TotalBytes = (sum_BytesFromPeers + sum_BytesFromGroupPeers+sum_BytesFromCDN+sum_BytesFromCache) +| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0 +| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 , + VolumeBytesFromPeers = sum_BytesFromPeers + sum_BytesFromGroupPeers +| extend VolumeBytesFromMCC = sum_BytesFromCache , VolumeByCDN = sum_BytesFromCDN +| project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount +``` + +## Frequency Asked Questions + +- **What time period does the Delivery Optimization data include?** +Data is generated/aggregated for the last 28 days for active devices. + +- **Data is showing as 'Unknown', what does that mean?** +You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. + +- **How are the 'Top 10' groups identified?** +The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). + +- **The GroupIDs don't look familiar, why are they different?** +The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above. + +- **How can I see data for device in the office vs. out of the office?** +Today, we don't have a distinction for data that was downloaded by location. + +- **What does the data in UCDOStatus table represent?** +A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType). + +- **What does the data in UCDOAggregatedStatus table represent?** +A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). + +- **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** +If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. diff --git a/windows/deployment/update/wufb-reports-enable.md b/windows/deployment/update/wufb-reports-enable.md index a02c8ece15..df307acd3d 100644 --- a/windows/deployment/update/wufb-reports-enable.md +++ b/windows/deployment/update/wufb-reports-enable.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 04/26/2023 ms.technology: itpro-updates --- diff --git a/windows/deployment/update/wufb-reports-prerequisites.md b/windows/deployment/update/wufb-reports-prerequisites.md index fa6514d687..f9951294d8 100644 --- a/windows/deployment/update/wufb-reports-prerequisites.md +++ b/windows/deployment/update/wufb-reports-prerequisites.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 03/15/2023 +ms.date: 04/26/2023 ms.technology: itpro-updates --- @@ -25,7 +25,6 @@ Before you begin the process of adding Windows Update for Business reports to yo - The Log Analytics workspace must be in a [supported region](#log-analytics-regions) - Data in the **Driver update** tab of the [workbook](wufb-reports-workbook.md) is only available for devices that receive driver and firmware updates from the [Windows Update for Business deployment service](deployment-service-overview.md) - ## Permissions [!INCLUDE [Windows Update for Business reports permissions](./includes/wufb-reports-admin-center-permissions.md)] diff --git a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md index 12318c9c53..34cab456db 100644 --- a/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md +++ b/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: reference -ms.date: 06/06/2022 +ms.date: 04/24/2023 ms.technology: itpro-updates --- @@ -37,7 +37,7 @@ Update Event that combines the latest client-based data with the latest service- | **SourceSystem** | [string](/azure/kusto/query/scalar-data-types/string)| `Azure`| | | **TargetBuild** | [string](/azure/kusto/query/scalar-data-types/string) | `10.0.18363.836` | The full build of the content this DeviceUpdateEvent is tracking. For Windows 10 updates, this value would correspond to the full build (10.0.14393.385). | | **TargetBuildNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `18363` | Integer of the Major portion of Build. | -| **TargetKBNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `4524570` | KB Article. | +| **TargetKBNumber** | [string](/azure/kusto/query/scalar-data-types/string) | `KB4524570` | KB Article. | | **TargetRevisionNumber** | [int](/azure/kusto/query/scalar-data-types/int) | `836` | Integer or the minor (or revision) portion of the build. | | **TargetVersion** | [int](/azure/kusto/query/scalar-data-types/int) | `1909` | The target operating system version, such as 1909. | | **TimeGenerated** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The time the snapshot generated this specific record. This is to determine to which batch snapshot this record belongs. | @@ -50,3 +50,4 @@ Update Event that combines the latest client-based data with the latest service- | **UpdateManufacturer** | [string](/azure/kusto/query/scalar-data-types/string) | `Microsoft` | Manufacturer of update. Microsoft for feature or quality updates, for drivers the name of driver manufacturer. | | **UpdateReleaseTime** | [datetime](/azure/kusto/query/scalar-data-types/datetime) | `2020-05-14 09:26:03.478039` | The release date of the update | | **UpdateSource** | [string](/azure/kusto/query/scalar-data-types/string) | `UUP` | The source of the update such as UUP, MUv6, Media | + \ No newline at end of file diff --git a/windows/deployment/update/wufb-reports-workbook.md b/windows/deployment/update/wufb-reports-workbook.md index 279be81249..9756777253 100644 --- a/windows/deployment/update/wufb-reports-workbook.md +++ b/windows/deployment/update/wufb-reports-workbook.md @@ -6,7 +6,7 @@ ms.prod: windows-client author: mestew ms.author: mstewart ms.topic: article -ms.date: 11/15/2022 +ms.date: 04/26/2023 ms.technology: itpro-updates --- @@ -97,7 +97,6 @@ The **Update deployment status** table displays the quality updates for each ope The **Device status** group for quality updates contains the following items: - **OS build number**: Chart containing a count of devices by OS build that are getting security updates. -- **Target version**: Chart containing how many devices by operating system version that are getting security updates. - **Device alerts**: Chart containing the count of active device errors and warnings for quality updates. - **Device compliance status**: Table containing a list of devices getting security updates and update installation information including active alerts for the devices. - This table is limited to the first 250 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). @@ -173,7 +172,7 @@ The **Device status** group for driver updates contains the following items: ## Delivery Optimization -The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. +The **Delivery Optimization** tab provides a summarized view of bandwidth efficiencies. This new revised report also includes [Microsoft Connected Cache](/windows/deployment/do/waas-microsoft-connected-cache) information. For more information, see [Delivery Optimization data in Windows Update for Business reports](/windows/deployment/update/waas-delivery-optimization). At the top of the report, tiles display the following information: diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md index ea38090b1d..c3c3acaa55 100644 --- a/windows/deployment/upgrade/windows-10-edition-upgrades.md +++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md @@ -22,7 +22,6 @@ ms.date: 10/28/2022 With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](https://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md). Downgrading the edition of Windows is discussed in the [License expiration](#license-expiration) section on this page. -For a list of operating systems that qualify for the Windows 10 Pro Upgrade or Windows 10 Enterprise Upgrade through Microsoft Volume Licensing, see [Windows 10 Qualifying Operating Systems](https://download.microsoft.com/download/2/d/1/2d14fe17-66c2-4d4c-af73-e122930b60f6/Windows10-QOS.pdf). The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 29dfd02ddc..3c213a2a45 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -27,7 +27,7 @@ ms.technology: itpro-fundamentals > [!TIP] > Are you looking for volume licensing information? > -> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://go.microsoft.com/fwlink/p/?LinkId=620104) +> - [Download the Volume Licensing Reference Guide for Windows 10 Desktop Operating System](https://www.microsoft.com/download/details.aspx?id=11091) > [!TIP] > Are you looking for information on retail activation? diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 87d0a1a2d5..d3c1320d86 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -67,8 +67,12 @@ The procedures in this guide are summarized in the following table. An estimate > [!NOTE] > If the request to add features fails, retry the installation by typing the command again. -2. Download [SQL Server 2014 SP2](https://www.microsoft.com/evalcenter/evaluate-sql-server-2014-sp2) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. -3. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: +2. Download [SQL Server](https://www.microsoft.com/evalcenter/evaluate-sql-server-2022) from the Microsoft Evaluation Center as an .ISO file on the Hyper-V host computer. Save the file to the **C:\VHD** directory. + + > [!NOTE] + > The rest of this article describes the installation of SQL Server 2014. If you download a different version of SQL Server, you may need to modify the installation steps. + +1. When you've downloaded the file **SQLServer2014SP2-FullSlipstream-x64-ENU.iso** and placed it in the C:\VHD directory, enter the following command at an elevated Windows PowerShell prompt on the Hyper-V host: ```powershell Set-VMDvdDrive -VMName SRV1 -Path c:\VHD\SQLServer2014SP2-FullSlipstream-x64-ENU.iso diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index ec97a45acf..7abdacbadc 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -38,52 +38,112 @@ href: deploy/windows-autopatch-device-registration-overview.md - name: Register your devices href: deploy/windows-autopatch-register-devices.md + - name: Windows Autopatch groups experience + href: + items: + - name: Windows Autopatch groups overview + href: deploy/windows-autopatch-groups-overview.md + - name: Manage Windows Autopatch groups + href: deploy/windows-autopatch-groups-manage-autopatch-groups.md - name: Post-device registration readiness checks href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Operate href: items: - - name: Software update management - href: operate/windows-autopatch-update-management.md + - name: Windows Autopatch groups experience + href: items: - - name: Windows updates - href: + - name: Software update management + href: operate/windows-autopatch-groups-update-management.md items: - - name: Customize Windows Update settings - href: operate/windows-autopatch-windows-update.md - - name: Windows quality updates - href: operate/windows-autopatch-windows-quality-update-overview.md + - name: Windows updates + href: items: - - name: Windows quality update end user experience - href: operate/windows-autopatch-windows-quality-update-end-user-exp.md - - name: Windows quality update signals - href: operate/windows-autopatch-windows-quality-update-signals.md - - name: Windows quality update communications - href: operate/windows-autopatch-windows-quality-update-communications.md - - name: Windows quality update reports - href: operate/windows-autopatch-windows-quality-update-reports-overview.md + - name: Customize Windows Update settings + href: operate/windows-autopatch-groups-windows-update.md + - name: Windows quality updates + href: operate/windows-autopatch-groups-windows-quality-update-overview.md items: - - name: Summary dashboard - href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md - - name: All devices report - href: operate/windows-autopatch-windows-quality-update-all-devices-report.md - - name: All devices report—historical - href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md - - name: Eligible devices report—historical - href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md - - name: Ineligible devices report—historical - href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md - - name: Windows feature updates - href: operate/windows-autopatch-windows-feature-update-overview.md + - name: Windows quality update end user experience + href: operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md + - name: Windows quality update signals + href: operate/windows-autopatch-groups-windows-quality-update-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-groups-windows-quality-update-communications.md + - name: Windows feature updates + href: operate/windows-autopatch-groups-windows-feature-update-overview.md + items: + - name: Manage Windows feature updates + href: operate/windows-autopatch-groups-manage-windows-feature-update-release.md + - name: Windows quality and feature update reports + href: operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md + items: + - name: Windows quality update reports + href: items: - - name: Windows feature update end user experience - href: operate/windows-autopatch-windows-feature-update-end-user-exp.md - - name: Microsoft 365 Apps for enterprise - href: operate/windows-autopatch-microsoft-365-apps-enterprise.md - - name: Microsoft Edge - href: operate/windows-autopatch-edge.md - - name: Microsoft Teams - href: operate/windows-autopatch-teams.md + - name: Summary dashboard + href: operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md + - name: Quality update status report + href: operate/windows-autopatch-groups-windows-quality-update-status-report.md + - name: Quality update trending report + href: operate/windows-autopatch-groups-windows-quality-update-trending-report.md + - name: Windows feature update reports + href: + items: + - name: Summary dashboard + href: operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md + - name: Feature update status report + href: operate/windows-autopatch-groups-windows-feature-update-status-report.md + - name: Feature update trending report + href: operate/windows-autopatch-groups-windows-feature-update-trending-report.md + - name: Windows quality and feature update device alerts + href: operate/windows-autopatch-device-alerts.md + - name: Classic experience + href: + items: + - name: Software update management + href: operate/windows-autopatch-update-management.md + items: + - name: Windows updates + href: + items: + - name: Customize Windows Update settings + href: operate/windows-autopatch-windows-update.md + - name: Windows quality updates + href: operate/windows-autopatch-windows-quality-update-overview.md + items: + - name: Windows quality update end user experience + href: operate/windows-autopatch-windows-quality-update-end-user-exp.md + - name: Windows quality update signals + href: operate/windows-autopatch-windows-quality-update-signals.md + - name: Windows quality update communications + href: operate/windows-autopatch-windows-quality-update-communications.md + - name: Windows quality update reports + href: operate/windows-autopatch-windows-quality-update-reports-overview.md + items: + - name: Summary dashboard + href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md + - name: All devices report + href: operate/windows-autopatch-windows-quality-update-all-devices-report.md + - name: All devices report—historical + href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md + - name: Eligible devices report—historical + href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md + - name: Ineligible devices report—historical + href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md + - name: Windows feature updates + href: operate/windows-autopatch-windows-feature-update-overview.md + items: + - name: Windows feature update end user experience + href: operate/windows-autopatch-windows-feature-update-end-user-exp.md + - name: Microsoft 365 Apps for enterprise + href: operate/windows-autopatch-microsoft-365-apps-enterprise.md + - name: Microsoft Edge + href: operate/windows-autopatch-edge.md + - name: Microsoft Teams + href: operate/windows-autopatch-teams.md + - name: Policy health and remediation + href: operate/windows-autopatch-policy-health-and-remediation.md - name: Maintain the Windows Autopatch environment href: operate/windows-autopatch-maintain-environment.md - name: Submit a support request @@ -104,6 +164,8 @@ href: references/windows-autopatch-microsoft-365-policies.md - name: Changes made at tenant enrollment href: references/windows-autopatch-changes-to-tenant.md + - name: Windows Autopatch groups public preview addendum + href: references/windows-autopatch-groups-public-preview-addendum.md - name: What's new href: items: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index b6ead33041..f511e6481b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides an overview on how to register devices in Autopatch -ms.date: 10/5/2022 +ms.date: 05/08/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -18,19 +18,21 @@ Windows Autopatch must [register your existing devices](windows-autopatch-regist The Windows Autopatch device registration process is transparent for end-users because it doesn’t require devices to be reset. -The overall device registration process is: +The overall device registration process is as follows: :::image type="content" source="../media/windows-autopatch-device-registration-overview.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-device-registration-overview.png"::: -1. IT admin reviews [Windows Autopatch device registration pre-requisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch. -2. IT admin identifies devices to be managed by Windows Autopatch and adds them into the **Windows Autopatch Device Registration** Azure Active Directory (AD) group. -1. Windows Autopatch then: +1. IT admin reviews [Windows Autopatch device registration prerequisites](windows-autopatch-register-devices.md#prerequisites-for-device-registration) prior to register devices with Windows Autopatch. +2. IT admin identifies devices to be managed by Windows Autopatch through either adding: + 1. The devices into the Windows Autopatch Device Registration (classic) Azure Active Directory (AD) group. + 2. Device-based Azure AD groups as part of the [Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md) or the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md). +3. Windows Autopatch then: 1. Performs device readiness prior registration (prerequisite checks). - 1. Calculates the deployment ring distribution. - 1. Assigns devices to one of the deployment rings based on the previous calculation. - 1. Assigns devices to other Azure AD groups required for management. - 1. Marks devices as active for management so it can apply its update deployment policies. -1. IT admin then monitors the device registration trends and the update deployment reports. + 2. Calculates the deployment ring distribution. + 3. Assigns devices to one of the deployment rings based on the previous calculation. + 4. Assigns devices to other Azure AD groups required for management. + 5. Marks devices as active for management so it can apply its update deployment policies. +4. IT admin then monitors the device registration trends and the update deployment reports. For more information about the device registration workflow, see the [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram) section for more technical details behind the Windows Autopatch device registration process. @@ -43,14 +45,14 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | Step | Description | | ----- | ----- | | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | -| **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | -| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.
    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | +| **Step 2: Add devices** | IT admin adds devices through Direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group when using the:
    • [Classic device registration method](../deploy/windows-autopatch-register-devices.md#classic-device-registration-method), or
    • Adding existing device-based Azure AD groups while [creating](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group)/[editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) Custom Autopatch groups, or [editing](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) the Default Autopatch group
    | +| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function discovers devices (hourly) that were previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group or from Azure AD groups used with Autopatch groups in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Intune and Azure AD when registering devices into its service.
    1. Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
      1. **AzureADDeviceID**
      2. **OperatingSystem**
      3. **DisplayName (Device name)**
      4. **AccountEnabled**
      5. **RegistrationDateTime**
      6. **ApproximateLastSignInDateTime**
    2. In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
    | | **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:
    1. **Serial number, model, and manufacturer.**
      1. Checks if the serial number already exists in the Windows Autopatch’s managed device database.
    2. **If the device is Intune-managed or not.**
      1. Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
        1. If **yes**, it means this device is enrolled into Intune.
        2. If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
      2. **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
        1. Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
        2. A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
      3. **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
    3. **If the device is a Windows device or not.**
      1. Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
        1. **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
        2. **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
    4. **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
      1. **Enterprise**
      2. **Pro**
      3. **Pro Workstation**
    5. **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
      1. **Only managed by Intune.**
        1. If the device is only managed by Intune, the device is marked as Passed all prerequisites.
      2. **Co-managed by both Configuration Manager and Intune.**
        1. If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
          1. **Windows Updates Policies**
          2. **Device Configuration**
          3. **Office Click to Run**
        2. If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
    | | **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:
    1. If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
    2. If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
    | -| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:
    1. **Modern Workplace Devices-Windows Autopatch-First**
      1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
    2. **Modern Workplace Devices-Windows Autopatch-Fast**
    3. **Modern Workplace Devices-Windows Autopatch-Broad**
    | -| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
    1. **Modern Workplace Devices - All**
      1. This group has all devices managed by Windows Autopatch.
    2. When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
      1. This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
    3. When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
      1. This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
    4. When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
      1. This group has all virtual devices managed by Windows Autopatch.
      | -| **Step 8: Post-device registration** | In post-device registration, three actions occur:
      1. Windows Autopatch adds devices to its managed database.
      2. Flags devices as **Active** in the **Ready** tab.
      3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
        1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
        | -| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Ready** and **Not registered** tabs.
        1. If the device was **successfully registered**, the device shows up in the **Ready** tab.
        2. If **not**, the device shows up in the **Not registered** tab.
        | +| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to two deployment ring sets, the first one being the service-based deployment ring set represented by the following Azure AD groups:
        1. **Modern Workplace Devices-Windows Autopatch-First**
          1. The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (**Modern Workplace Devices-Windows Autopatch-Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
        2. **Modern Workplace Devices-Windows Autopatch-Fast**
        3. **Modern Workplace Devices-Windows Autopatch-Broad**
          4. Then the second deployment ring set, the software updates-based deployment ring set represented by the following Azure AD groups:
          • **Windows Autopatch - Ring1**
            • The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD groups (**Windows Autopatch - Test**). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
          • **Windows Autopatch - Ring2**
            • **Windows Autopatch - Ring3**
        | +| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:
        1. **Modern Workplace Devices - All**
          1. This group has all devices managed by Windows Autopatch.
        2. **Modern Workplace Devices - Virtual Machine**
          1. This group has all **virtual devices** managed by Windows Autopatch.
          | +| **Step 8: Post-device registration** | In post-device registration, three actions occur:
          1. Windows Autopatch adds devices to its managed database.
          2. Flags devices as **Active** in the **Registered** tab.
          3. The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
            1. The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
            | +| **Step 9: Review device registration status** | IT admins review the device registration status in both the **Registered** and **Not registered** tabs.
            1. If the device was **successfully registered**, the device shows up in the **Registered** tab.
            2. If **not**, the device shows up in the **Not registered** tab.
            | | **Step 10: End of registration workflow** | This is the end of the Windows Autopatch device registration workflow. | ## Detailed prerequisite check workflow diagram @@ -58,3 +60,121 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto As described in **step #4** in the previous [Detailed device registration workflow diagram](#detailed-device-registration-workflow-diagram), the following diagram is a visual representation of the prerequisite construct for the Windows Autopatch device registration process. The prerequisite checks are sequentially performed. :::image type="content" source="../media/windows-autopatch-prerequisite-check-workflow-diagram.png" alt-text="Detailed prerequisite check workflow diagram" lightbox="../media/windows-autopatch-prerequisite-check-workflow-diagram.png"::: + +## Windows Autopatch deployment rings + +During the tenant enrollment process, Windows Autopatch creates two different deployment ring sets: + +- [Service-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#service-based-deployment-rings) +- [Software update-based deployment ring set](../deploy/windows-autopatch-groups-overview.md#software-based-deployment-rings) + +The following four Azure AD assigned groups are used to organize devices for the service-based deployment ring set: + +| Service-based deployment ring | Description | +| ----- | ----- | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing service-based configuration, app deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters. | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | + +The five Azure AD assigned groups that are used to organize devices for the software update-based deployment ring set within the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition): + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +| Software updates-based deployment ring | Description | +| ----- | ----- | +| Windows Autopatch - Test | Deployment ring for testing software updates-based deployments prior production rollout. | +| Windows Autopatch - Ring1 | First production deployment ring for early adopters. | +| Windows Autopatch - Ring2 | Fast deployment ring for quick rollout and adoption. | +| Windows Autopatch - Ring3 | Final deployment ring for broad rollout into the organization. | +| Windows Autopatch - Last | Optional deployment ring for specialized devices or VIP/executives that must receive software update deployments after it’s well tested with early and general populations in an organization. | + +In the software-based deployment ring set, each deployment ring has a different set of update deployment policies to control the updates rollout. + +> [!CAUTION] +> Adding or importing devices directly into any of these groups isn't supported. Doing so might affect the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](#moving-devices-in-between-deployment-rings). + +> [!IMPORTANT] +> Windows Autopatch device registration doesn't assign devices to the Test deployment rings of either the service-based (**Modern Workplace Devices-Windows Autopatch-Test**), or software updates-based (**Windows Autopatch – Test and Windows Autopatch – Last**) in the Default Autopatch group. This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. + +During the device registration process, Windows Autopatch assigns each device to a [service-based and software-update based deployment ring](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings) so that the service has the proper representation of device diversity across your organization. + +The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. + +> [!NOTE] +> You can't create additional deployment rings or use your own rings for devices managed by the Windows Autopatch service. + +## Default deployment ring calculation logic + +The Windows Autopatch deployment ring calculation occurs during the device registration process and it applies to both the [service-based and the software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings): + +- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. +- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. + +> [!NOTE] +> You can customize the deployment ring calculation logic by editing the Default Autopatch group. + +| Deployment ring | Default device balancing percentage | Description | +| ----- | ----- | ----- | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
            • **0–500** devices: minimum **one** device.
            • **500–5000** devices: minimum **five** devices.
            • **5000+** devices: minimum **50** devices.
            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | **1%** | The First ring is the first group of production users to receive a change.

            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

            The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

            | +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| +| Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | + +## Software update-based to service-based deployment ring mapping + +There’s a one-to-one mapping in between the service-based and software updates-based deployment rings introduced with Autopatch groups. This mapping is intended to help move devices in between deployment rings for other software update workloads that don’t yet support Autopatch groups such as Microsoft 365 Apps and Microsoft Edge. + +| If moving a device to | The device also moves to | +| ----- | ----- | +| Windows Autopatch – Test | Modern Workplace Devices-Windows Autopatch-Test | +| Windows Autopatch – Ring1 | Modern Workplace Devices-Windows Autopatch-First | +| Windows Autopatch – Ring2 | Modern Workplace Devices-Windows Autopatch-Fast | +| Windows Autopatch – Ring3 | Modern Workplace Devices-Windows Autopatch-Broad | +| Windows Autopatch – Last | Modern Workplace Devices-Windows Autopatch-Broad | + +If your Autopatch groups have more than five deployment rings, and you must move devices to deployment rings after Ring3. For example, ``. The devices will be moved to **Modern Workplace Devices-Windows Autopatch-Broad**. + +## Moving devices in between deployment rings + +If you want to move devices to different deployment rings (either service or software update-based), after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Registered** tab. + +> [!IMPORTANT] +> You can only move devices in between deployment rings within the **same** Autopatch group. You can't move devices in between deployment rings across different Autopatch groups. If you try to select a device that belongs to one Autopatch group, and another device that belongs to a different Autopatch group, you'll receive the following error message on the top right corner of the Microsoft Intune portal: "**An error occurred. Please select devices within the same Autopatch group**. + +**To move devices in between deployment rings:** + +> [!NOTE] +> You can only move devices to other deployment rings when they're in an active state in the **Registered** tab. + +1. In the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), select **Devices** in the left pane. +1. In the **Windows Autopatch** section, select **Devices**. +1. In the **Registered** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. +1. Select **Device actions** from the menu. +1. Select **Assign ring**. A fly-in opens. +1. Use the dropdown menu to select the deployment ring to move devices to, and then select Save. The Ring assigned by column will change to Pending. +1. When the assignment is complete, the **Ring assigned by** column changes to Admin (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. + +If you don't see the Ring assigned by column change to **Pending** in Step 5, check to see whether the device exists in Microsoft Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: + +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment ring assigned during the device registration process. + +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| Check device deployment ring membership | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test and Windows Autopatch – Last** rings). | +| Multi-deployment ring device remediator | Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test**, **Windows Autopatch – Test** and **Windows Autopatch – Last** rings). If a device is part of multiple deployment rings, Windows Autopatch randomly removes the device until the device is only part of one deployment ring. | + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions don’t assign or remove devices to or from the following deployment rings:
          4. **Modern Workplace Devices-Windows Autopatch-Test**
          5. **Windows Autopatch – Test**
          6. **Windows Autopatch – Last**
            7. diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md new file mode 100644 index 0000000000..71ba52fc37 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -0,0 +1,221 @@ +--- +title: Manage Windows Autopatch groups +description: This article explains how to manage Autopatch groups +ms.date: 05/05/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Manage Windows Autopatch groups (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. + +Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates policy for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). + +## Autopatch groups prerequisites + +Before you start managing Autopatch groups, ensure you’ve met the following prerequisites: + +- Review [Windows Autopatch groups overview documentation](../deploy/windows-autopatch-groups-overview.md) to understand [key benefits](../deploy/windows-autopatch-groups-overview.md#key-benefits), [concepts](../deploy/windows-autopatch-groups-overview.md#key-concepts) and [common ways to use Autopatch groups](../deploy/windows-autopatch-groups-overview.md#common-ways-to-use-autopatch-groups) within your organization. +- Ensure the following [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) are created in your tenant: + - Modern Workplace Update Policy [Test]-[Windows Autopatch] + - Modern Workplace Update Policy [First]-[Windows Autopatch] + - Modern Workplace Update Policy [Fast]-[Windows Autopatch] + - Modern Workplace Update Policy [Broad]-[Windows Autopatch] +- Ensure the following [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) are created in your tenant: + - Windows Autopatch – DSS Policy [Test] + - Windows Autopatch – DSS Policy [First] + - Windows Autopatch – DSS Policy [Fast] + - Windows Autopatch – DSS Policy [Broad] +- Ensure the following Azure AD assigned groups are in your tenant before using Autopatch groups. **Don’t** modify the Azure AD group membership types (Assigned or Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups and causes the Autopatch groups feature and other service-related operations to not work properly. + - Modern Workplace Devices-Windows Autopatch-Test + - Modern Workplace Devices-Windows Autopatch-First + - Modern Workplace Devices-Windows Autopatch-Fast + - Modern Workplace Devices-Windows Autopatch-Broad + - Windows Autopatch – Test + - Windows Autopatch – Ring1 + - Windows Autopatch – Ring2 + - Windows Autopatch – Ring3 + - Windows Autopatch – Last +- Additionally, **don't** modify the Azure AD group ownership of any of the groups above otherwise, Autopatch groups device registration process won't be able to add devices into these groups. If the ownership is modified, you must add the **Modern Workplace Management** Service Principal as the owner of these groups. + - For more information, see [assign an owner or member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group) for steps on how to add owners to Azure Azure AD groups. +- Make sure you have [app-only auth turned on in your Windows Autopatch tenant](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions). Otherwise, the Autopatch groups functionality won’t work properly. Autopatch uses app-only auth to: + - Read device attributes to successfully register devices. + - Manage all configurations related to the operation of the service. +- Make sure that all device-based Azure AD groups you intend to use with Autopatch groups are created prior to using the feature. + - Review your existing Azure AD group dynamic queries and direct device memberships to avoid having device membership overlaps in between device-based Azure AD groups that are going to be used with Autopatch groups. This can help prevent device conflicts within an Autopatch group or across several Autopatch groups. **Autopatch groups doesn't support user-based Azure AD groups**. +- Ensure devices used with your existing Azure AD groups meet [device registration prerequisite checks](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) when being registered with the service. Autopatch groups register devices on your behalf, and devices can be moved to **Registered** or **Not registered** tabs in the Devices blade accordingly. + +> [!TIP] +> [Update rings](/mem/intune/protect/windows-10-update-rings) and [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies that are created and managed by Windows Autopatch can be restored using the [Policy health](../operate/windows-autopatch-policy-health-and-remediation.md) feature. For more information on remediation actions, see [restore Windows update policies](../operate/windows-autopatch-policy-health-and-remediation.md#restore-windows-update-policies). + +> [!NOTE] +> During the public preview, Autopatch groups opt-in page will show a banner to let you know when one or more prerequisites are failing. Once you remediate the issue to meet the prerequisites, it can take up to an hour for your tenant to have the "Use preview" button available. + +## Create a Custom Autopatch group + +> [!NOTE] +> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +**To create a Custom Autopatch group:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, select **Autopatch groups (preview)**. +1. Only during the public preview: + 1. Review the [Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md) and the [Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md). + 1. Select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Autopatch groups. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites). +1. In the **Autopatch groups** blade, select **Create**. +1. In **Basics** page, enter a **name** and a **description** then select **Next: Deployment rings**. + 1. Enter up to 64 characters for the Autopatch group name and 150 characters maximum for the description. The Autopatch group name is appended to both the update rings and the DSS policy names that get created once the Custom Autopatch group is created. +1. In **Deployment rings** page, select **Add deployment ring** to add the number of deployment rings to the Custom Autopatch group. +1. Each new deployment ring added must have either an Azure AD device group assigned to it, or an Azure AD group that is dynamically distributed across your deployments rings using defined percentages. + 1. In the **Dynamic groups** area, select **Add groups** to select one or more existing device-based Azure AD groups to be used for Dynamic group distribution. + 1. In the **Dynamic group distribution** column, select the desired deployment ring checkbox. Then, either: + 1. Enter the percentage of devices that should be added from the Azure AD groups selected in step 9. The percentage calculation for devices must equal to 100%, or + 1. Select **Apply default dynamic group distribution** to use the default values. +1. In the **Assigned group** column, select **Add group to ring** to add an existing Azure AD group to any of the defined deployment rings. The **Test** and **Last** deployment rings only support Assigned group distribution. These deployment rings don't support Dynamic distribution. +1. Select **Next: Windows Update settings**. +1. Select the **horizontal ellipses (…)** > **Manage deployment cadence** to [customize your gradual rollout of Windows quality and feature updates](../operate/windows-autopatch-windows-update.md). Select **Save**. +1. Select the **horizontal ellipses (…)** > **Manage notifications** to customize the end-user experience when receiving Windows updates. Select **Save**. +1. Select **Review + create** to review all changes made. +1. Once the review is done, select **Create** to save your custom Autopatch group. + +> [!CAUTION] +> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from finish creating or editing the Autopatch group (Default or Custom). + +> [!IMPORTANT] +> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. + +## Edit the Default or a Custom Autopatch group + +**To edit either the Default or a Custom Autopatch group:** + +1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. +1. You can only modify the **description** of the Default or a Custom Autopatch group. You **can’t** modify the name. Once the description is modified, select **Next: Deployment rings**. +1. Make the necessary changes in the **Deployment rings** page, then select **Next: Windows Update settings**. +1. Make the necessary changes in the **Windows Update settings** page, then select **Next: Review + save**. +1. Select **Review + create** to review all changes made. +1. Once the review is done, select **Save** to finish editing the Autopatch group. + +> [!IMPORTANT] +> Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. + +## Delete a Custom Autopatch group + +You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. + +**To delete a Custom Autopatch group:** + +1. Select the **horizontal ellipses (…)** > **Delete** for the Custom Autopatch group you want to delete. +1. Select **Yes** to confirm you want to delete the Custom Autopatch group. + +> [!CAUTION] +> You can’t delete a Custom Autopatch group when it’s being used as part of one or more active or paused feature update releases. However, you can delete a Custom Autopatch group when the release for either Windows quality or feature updates have either the **Scheduled** or **Paused** statuses. + +## Manage device conflict scenarios when using Autopatch groups + +> [!IMPORTANT] +> The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. +> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). + +Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. + +Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur. + +> [!CAUTION] +> A device-based Azure AD group can only be used with one deployment ring in an Autopatch group at a time. This applies to deployment rings within the same Autopatch group and across different deployment rings across different Autopatch groups. If you try to create or edit an Autopatch group to use a device-based Azure AD group that’s been already used, you'll receive an error that prevents you from creating or editing the Autopatch group (Default or Custom). + +### Device conflict in deployment rings within an Autopatch group + +Autopatch groups uses the following logic to solve device conflicts on your behalf within an Autopatch group: + +| Step | Description | +| ----- | ----- | +| Step 1: Checks for the deployment ring distribution type (**Assigned** or **Dynamic**) that the device belongs to. | For example, if a device is part of one deployment ring with **Dynamic** distribution (Ring3), and one deployment ring with **Assigned** distribution (Test,) within the same Autopatch group, the deployment ring with **Assigned** distribution (Test) takes precedence over the one with the **Dynamic** distribution type (Ring3). | +| Step 2: Checks for deployment ring ordering when device belongs to one or more deployment ring with the same distribution type (**Assigned** or **Dynamic**) | For example, if a device is part of one deployment ring with **Assigned** distribution (Test), and in another deployment ring with **Assigned** distribution (Ring3) within the **same** Autopatch group, the deployment ring that comes later (Ring3) takes precedence over the deployment ring that comes earlier (Test) in the deployment ring order. | + +> [!IMPORTANT] +> When a device belongs to a deployment ring that has combined distribution types (**Assigned** and **Dynamic**), and a deployment ring that has only the **Dynamic** distribution type, the deployment ring with the combined distribution types takes precedence over the one with only the **Dynamic** distribution. If a device belongs to two deployment rings that have combined distribution types (**Assigned** and **Dynamic**), the deployment ring that comes later takes precedence over the deployment ring that comes earlier in the deployment ring order. + +### Device conflict across different Autopatch groups + +Device conflict across different deployment rings in different Autopatch groups may occur, review the following examples about how the Windows Autopatch services handles the following scenarios: + +#### Default to Custom Autopatch group device conflict + +| Conflict scenario | Conflict resolution | +| ----- | ----- | +| You, the IT admin at Contoso Ltd., starts using only the Default Autopatch group, but later decides to create an Autopatch group called “Marketing”.

            However, you notice that the same devices that belong to the deployment rings in the Default Autopatch group are now also part of the new deployment rings in the Marketing Autopatch group.

            | Autopatch groups automatically resolve this conflict on your behalf.

            In this example, devices that belong to the deployment rings as part of the “Marketing” Autopatch group take precedence over devices that belong to the deployment ring in the Default Autopatch group, because you, the IT admin, demonstrated clear intent on managing deployment rings using a Custom Autopatch group outside the Default Autopatch group.

            | + +#### Custom to Custom Autopatch group device conflict + +| Conflict scenario | Conflict resolution | +| ----- | ----- | +| You, the IT admin at Contoso Ltd., are using several Custom Autopatch groups. While navigating through devices in the Windows Autopatch Devices blade (**Not ready** tab), you notice that the same device is part of different deployment rings across several different Custom Autopatch groups. | You must resolve this conflict.

            Autopatch groups informs you about the device conflict in the **Devices** > **Not ready** tab. You’re required to manually indicate which of the existing Custom Autopatch groups the device should exclusively belong to.

            | + +#### Device conflict prior device registration + +When you create or edit the Custom or Default Autopatch group, Windows Autopatch checks if the devices that are part of the Azure AD groups, used in Autopatch groups’ deployment rings, are registered with the service. + +| Conflict scenario | Conflict resolution | +| ----- | ----- | +| Devices are in the Custom-to-Custom Autopatch group device conflict scenario | You must resolve this conflict.

            Devices will fail to register with the service and will be sent to the **Not registered** tab. You’re required to make sure the Azure AD groups that are used with the Custom Autopatch groups don’t have device membership overlaps.

            | + +#### Device conflict post device registration + +Autopatch groups will keep monitoring for all device conflict scenarios listed in the [Manage device conflict scenarios when using Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#manage-device-conflict-scenarios-when-using-autopatch-groups) section even after devices were successfully registered with the service. + +## Known issues + +This section lists known issues with Autopatch groups during its public preview. + +### Device conflict scenarios when using Autopatch groups + +- **Status: Active** + +The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview. + +- Default to Custom Autopatch device conflict detection and resolution. +- Device conflict detection and resolution within an Autopatch group. +- Custom to Custom Autopatch group device conflict detection. + +> [!TIP] +> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: +> +> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. +> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group. + +### Autopatch group Azure AD group remediator + +- **Status: Active** + +The Windows Autopatch team is aware that the Windows Autopatch service isn't automatically restoring the Azure AD groups that get created during the Autopatch groups creation/editing process. If the following Azure AD groups, that belong to the Default Autopatch group and other Azure AD groups that get created with Custom Autopatch groups, are deleted or renamed, they won't be automatically remediated on your behalf yet: + +- Windows Autopatch – Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +The Windows Autopatch team is currently developing the Autopatch group Azure AD group remediator feature and plan to make it available during public preview. + +> [!NOTE] +> The Autopatch group remediator won't remediate the service-based deployment rings: +> +> - Modern Workplace Devices-Windows Autopatch-Test +> - Modern Workplace Devices-Windows Autopatch-First +> - Modern Workplace Devices-Windows Autopatch-Fast +> - Modern Workplace Devices-Windows Autopatch-Broad +> +> Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md new file mode 100644 index 0000000000..730fc16ec4 --- /dev/null +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-overview.md @@ -0,0 +1,253 @@ +--- +title: Windows Autopatch groups overview +description: This article explains what Autopatch groups are +ms.date: 05/03/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows Autopatch groups overview (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +As organizations move to a managed-service model where Microsoft manages update processes on their behalf, they’re challenged with having the right representation of their organizational structures followed by their own deployment cadence. Windows Autopatch groups helps organizations manage updates in a way that makes sense for their businesses with no extra cost or unplanned disruptions. + +## What are Windows Autopatch groups? + +Autopatch groups is a logical container or unit that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates). + +## Key benefits + +Autopatch groups help Microsoft Cloud-Managed services meet organizations where they are in their update management journey. Key benefits include: + +| Benefit | Description | +| ----- | ----- | +| Replicating your organizational structure | You can set up Autopatch groups to replicate your organizational structures represented by your existing device-based Azure AD group targeting logic. | +| Having a flexible number of deployments | Autopatch groups give you the flexibility of having the right number of deployment rings that work within your organization. You can set up to 15 deployment rings per Autopatch group. | +| Deciding which device(s) belong to deployment rings | Along with using your existing device-based Azure AD groups and choosing the number of deployment rings, you can also decide which devices belong to deployment rings during the device registration process when setting up Autopatch groups. | +| Choosing the deployment cadence | You choose the right software update deployment cadence for your business. | + +## High-level architecture diagram overview + +:::image type="content" source="../media/windows-autopatch-groups-high-level-architecture-diagram.png" alt-text="Overview of the device registration process" lightbox="../media/windows-autopatch-groups-high-level-architecture-diagram.png"::: + +Autopatch groups is a function app that is part of the device registration micro service within the Windows Autopatch service. The following table explains the high-level workflow: + +| Step | Description | +| ----- | ----- | +| Step 1: Create an Autopatch group | Create an Autopatch group. | +| Step 2: Windows Autopatch uses Microsoft Graph to create Azure AD and policy assignments | Windows Autopatch service uses Microsoft Graph to coordinate the creation of:
            • Azure AD groups
            • Software update policy assignments with other Microsoft services, such as Azure AD, Intune, and Windows Update for Business (WUfB) based on IT admin choices when you create or edit an Autopatch group.
            | +| Step 3: Intune assigns software update policies | Once Azure AD groups are created in the Azure AD service, Intune is used to assign the software update policies to these groups and provide the number of devices that need the software update policies to the Windows Update for Business (WUfB) service. | +| Step 4: Windows Update for Business responsibilities | Windows Update for Business (WUfB) is the service responsible for:
            • Delivering those update policies
            • Retrieving update deployment statuses back from devices
            • Sending back the status information to Microsoft Intune, and then to the Windows Autopatch service
            | + +## Key concepts + +There are a few key concepts to be familiar with before using Autopatch groups. + +### About the Default Autopatch group + +> [!NOTE] +> The Default Autopatch group is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +The Default Autopatch group uses Windows Autopatch’s default update management process recommendation. The Default Autopatch group contains: + +- A set of **[five deployment rings](#default-deployment-ring-composition)** +- A default update deployment cadence for both [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md) and [feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md). + +The Default Autopatch group is intended to serve organizations that are looking to: + +- Enroll into the service +- Align to Windows Autopatch’s default update management process without requiring additional customizations. + +The Default Autopatch group **can’t** be deleted or renamed. However, you can customize its deployment ring composition to add and/or remove deployment rings, and you can also customize the update deployment cadences for each deployment ring within it. + +#### Default deployment ring composition + +By default, the following [software update-based deployment rings](#software-based-deployment-rings), represented by Azure AD assigned groups, are used: + +- Windows Autopatch – Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +**Windows Autopatch – Test** and **Last** can be only used as **Assigned** device distributions. **Windows Autopatch – Ring1**, **Ring2** and **Ring3** can be used with either **Assigned** or **Dynamic** device distributions, or have a combination of both device distribution types. + +> [!TIP] +> For more information about the differences between **Assigned** and **Dynamic** deployment ring distribution types, see [about deployment rings](#about-deployment-rings). Only deployment rings that are placed in between the **Test** and the **Last** deployment rings can be used with the **Dynamic** deployment ring distributions. + +> [!CAUTION] +> These and other Azure AD assigned groups created by Autopatch groups **can't** be missing in your tenant, otherwise, Autopatch groups might not function properly. + +The **Last** deployment ring, the fifth deployment ring in the Default Autopatch group, is intended to provide coverage for scenarios where a group of specialized devices and/or VIP/Executive users. They must receive software update deployments after the organization’s general population to mitigate disruptions to your organization’s critical businesses. + +#### Default update deployment cadences + +The Default Autopatch group provides a default update deployment cadence for its deployment rings except for the **Last** (fifth) deployment ring. + +##### Update rings policy for Windows 10 and later + +Autopatch groups set up the [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) for each of its deployment rings in the Default Autopatch group. See the following default policy values: + +| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes | +| Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes | +| Windows Autopatch Update Policy - default - Ring2 | Windows Autopatch - Ring2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Ring3 | Windows Autopatch - Ring3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes | + +##### Feature update policy for Windows 10 and later + +Autopatch groups set up the [feature updates for Windows 10 and later policies](/mem/intune/protect/windows-10-feature-updates) for each of its deployment rings in the Default Autopatch group, see the following default policy values: + +| Policy name | Azure AD group assignment |Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch - DSS Policy [Test] | Windows Autopatch - Test | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Ring1] | Windows Autopatch - Ring1 | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Ring2] | Windows Autopatch - Ring2 | Windows 10 20H2 | Make update available as soon as possible | December 14, 2022 | December 21, 2022 | 1 | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Ring3] | Windows Autopatch - Ring3 | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM | +| Windows Autopatch - DSS Policy [Last] | Windows Autopatch - Last | Windows 10 20H2 | Make update available as soon as possible | December 15, 2022 | December 29, 2022 | 1 | May 8, 2023; 7:00PM | + +### About Custom Autopatch groups + +> [!NOTE] +> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +Custom Autopatch groups are intended to help organizations that require a more precise representation of their organization's structures along with their own update deployment cadence in the service. + +By default, a Custom Autopatch group has the Test and Last deployment rings automatically present. For more information, see [Test and Last deployment rings](#about-the-test-and-last-deployment-rings). + +### About deployment rings + +Deployment rings make it possible for an Autopatch group to have software update deployments sequentially delivered in a gradual rollout within the Autopatch group. + +Windows Autopatch aligns with Azure AD and Intune terminology for device group management. There are two types of deployment ring group distribution in Autopatch groups: + +| Deployment ring distribution | Description | +| ----- | ----- | +| Dynamic | You can use one or more device-based Azure AD groups, either dynamic query-based or assigned to use in your deployment ring composition.

            Azure AD groups that are used with the Dynamic distribution type can be used to distribute devices across several deployment rings based on percentage values that can be customized.

            | +| Assigned | You can use one single device-based Azure AD group, either dynamic query-based, or assigned to use in your deployment ring composition. | +| Combination of Dynamic and Assigned | To provide a greater level of flexibility when working on deployment ring compositions, you can combine both device distribution types in Autopatch groups.

            The combination of Dynamic and Assigned device distribution is **not** supported for the Test and Last deployment ring in Autopatch groups.

            | + +#### About the Test and Last deployment rings + +Both the **Test** and **Last** deployment rings are default deployment rings that are automatically present in the Default Autopatch group and Custom Autopatch groups. These default deployment rings provide the recommended minimum number of deployment rings that an Autopatch group should have. + +If you only keep Test and Last deployment rings in your Default Autopatch group, or you don't add more deployment rings when creating a Custom Autopatch group, the Test deployment ring can be used as the pilot deployment ring and Last can be used as the production deployment ring. + +> [!IMPORTANT] +> Both the **Test** and **Last** deployment rings **can't** be removed or renamed from the Default or Custom Autopatch groups. Autopatch groups don't support the use of one single deployment ring as part of its deployment ring composition because you need at least two deployment rings for their gradual rollout. If you must implement a specific scenario with a single deployment ring, and gradual rollout isn’t required, consider managing these devices outside Windows Autopatch. + +> [!TIP] +> Both the **Test** and **Last** deployment rings only support one single Azure AD group assignment at a time. If you need to assign more than one Azure AD group, you can nest the other Azure AD groups under the ones you plan to use with the **Test** and **Last** deployment rings. Only one level of Azure AD group nesting is supported. + +#### Service-based versus software update-based deployment rings + +Autopatch groups creates two different layers. Each layer contains its own deployment ring set. + +> [!IMPORTANT] +> Both service-based and software update-based deployment ring sets are, by default, assigned to devices that successfully register with Windows Autopatch. + +##### Service-based deployment rings + +The service-based deployment ring set is exclusively used to keep Windows Autopatch updated with both service and device-level configuration policies, apps and APIs needed for core functions of the service. + +The following are the Azure AD assigned groups that represent the service-based deployment rings. These groups cannot be deleted or renamed: + +- Modern Workplace Devices-Windows Autopatch-Test +- Modern Workplace Devices-Windows Autopatch-First +- Modern Workplace Devices-Windows Autopatch-Fast +- Modern Workplace Devices-Windows Autopatch-Broad + +> [!CAUTION] +> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

            Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.

            + +##### Software-based deployment rings + +The software-based deployment ring set is exclusively used with software update management policies, such as the Windows update ring and feature update policies, in the Default Windows Autopatch group. + +The following are the Azure AD assigned groups that represent the software updates-based deployment rings. These groups cannot be deleted or renamed: + +- Windows Autopatch - Test +- Windows Autopatch – Ring1 +- Windows Autopatch – Ring2 +- Windows Autopatch – Ring3 +- Windows Autopatch – Last + +> [!IMPORTANT] +> Additional Azure AD assigned groups are created and added to list when you add more deployment rings to the Default Autopatch group. + +> [!CAUTION] +> **Don’t** modify the Azure AD group membership types (Assigned and Dynamic). Otherwise, the Windows Autopatch service won’t be able to read the device group membership from these groups, and causes the Autopatch groups feature and other service-related operations to not work properly.

            Additionally, it's **not** supported to have Configuration Manager collections directly synced to any Azure AD group created by Autopatch groups.

            + +### About device registration + +Autopatch groups register devices with the Windows Autopatch service when you either [create](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) or [edit a Custom Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group), and/or when you [edit the Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to use your existing Azure AD groups instead of the Windows Autopatch Device Registration group provided by the service. + +## Common ways to use Autopatch groups + +The following are three common uses for using Autopatch groups. + +### Use case #1 + +> [!NOTE] +> The [Default Autopatch group](#about-the-default-autopatch-group) is recommended for organizations that can meet their business needs using the pre-configured five deployment ring composition. + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. And manage several Microsoft and non-Microsoft cloud services. You don’t have extra time to spend setting up and managing several Autopatch groups.

            Your organization currently operates its update management by using five deployment rings, but there’s an opportunity to have flexible deployment cadences if it’s pre-communicated to your end-users.

            | If you don’t have thousands of devices to manage, use the Default Autopatch group for your organization. You can edit the Default Autopatch group to include additional deployment rings and/or slightly modify some of its default deployment cadences.

            The Default Autopatch group is pre-configured and doesn’t require extra configurations when registering devices with the Windows Autopatch service.

            The following is a visual representation of a gradual rollout for the Default Autopatch group pre-configured and fully managed by the Windows Autopatch service.

            | + +:::image type="content" source="../media/autopatch-groups-default-autopatch-group.png" alt-text="Default Autopatch group" lightbox="../media/autopatch-groups-default-autopatch-group.png"::: + +### Use case #2 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. Your organization needs to plan a gradual rollout of software updates within specific critical business units or departments to help mitigate the risk of end-user disruption. | You can create a Custom Autopatch group for each of your business units, for example, the finance department and breakdown the deployment ring composition per the different user personas or based on how critical certain user groups can be for the department and subsequently for the business.

            The following is a visual representation of a gradual rollout for Contoso’s Finance department.

            | + +:::image type="content" source="../media/autopatch-groups-finance-department-example.png" alt-text="Finance department example" lightbox="../media/autopatch-groups-finance-department-example.png"::: + +> [!IMPORTANT] +> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. + +### Use case #3 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. Your branch location in Chicago needs to plan a gradual rollout of software updates within specific departments to make sure the Chicago office doesn’t experience disruptions in its operations. | You can create a Custom Autopatch group for the branch location in Chicago and breakdown the deployment ring composition per the departments within the branch location.

            The following is a visual representation of a gradual rollout for the Contoso Chicago branch location.

            | + +:::image type="content" source="../media/autopatch-groups-contoso-chicago-example.png" alt-text="Contoso Chicago example" lightbox="../media/autopatch-groups-contoso-chicago-example.png"::: + +> [!IMPORTANT] +> Once Autopatch groups are setup, the release of either Windows quality or feature updates will be deployed sequentially through its deployment rings. + +## Supported configurations + +The following configurations are supported when using Autopatch groups. + +### Software update workloads + +Autopatch groups works with the following software update workloads: + +- [Windows quality updates](../operate/windows-autopatch-groups-windows-quality-update-overview.md) +- [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) + +> [!IMPORTANT] +> [Microsoft Edge](../operate/windows-autopatch-edge.md) and [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) are supported through the (classic) service-based deployment rings. Other software update workloads aren’t currently supported. + +### Maximum number of Autopatch groups + +Windows Autopatch will support up to 50 Autopatch groups in your tenant. You can create up to 49 [Custom Autopatch groups](#about-custom-autopatch-groups) in addition to the [Default Autopatch group](#about-the-default-autopatch-group). Each Autopatch group supports up to 15 deployment rings. + +> [!TIP] +> If you reach the maximum number of Autopatch groups supported (50), and try to create more Custom Autopatch groups, the "**Create**" option in the Autopatch groups blade will be greyed out. + +To manage your Autopatch groups, see [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md). diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fcc1e157cf..55ddc49938 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 02/03/2023 +ms.date: 05/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -20,14 +20,25 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: -- [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) -- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) -- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) -- [Microsoft Edge updates](../operate/windows-autopatch-edge.md) -- [Microsoft Teams updates](../operate/windows-autopatch-teams.md) +- Windows quality updates + - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md) + - [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) +- Windows feature updates + - [Autopatch groups experience](../operate/windows-autopatch-groups-windows-feature-update-overview.md) + - [Classic experience](../operate/windows-autopatch-windows-feature-update-overview.md) +- The following software update workloads use the Classic experience: + - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) + - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) + - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) ### About the use of an Azure AD group to register devices +Windows Autopatch provides two methods of registering devices with its service, the [Classic](#classic-device-registration-method) and the Autopatch groups device registration method. + +#### Classic device registration method + +This method is intended to help organizations that don’t require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) to register devices. + You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: - Direct membership @@ -36,17 +47,31 @@ You must choose what devices to manage with Windows Autopatch by adding them to Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. -> [!NOTE] -> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. +You can also use the **Discover devices** button in either the Registered or Not ready tab to register devices on demand. The **Discover devices** button scans for devices to be registered in the **Windows Autopatch Device Registration** or any other Azure AD group used with either the Default or Custom Autopatch groups. -#### Supported scenarios when nesting other Azure AD groups +#### Windows Autopatch groups device registration method + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +This method is intended to help organizations that require the use of [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups) or additional customizations to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). + +When you either create/edit a Custom Autopatch group or edit the Default Autopatch group to add or remove deployment rings, the device-based Azure AD groups you use when setting up your deployment rings are scanned to see if devices need to be registered with the Windows Autopatch service. + +If devices aren’t registered, Autopatch groups starts the device registration process by using your existing device-based Azure AD groups instead of the Windows Autopatch Device Registration group. + +For more information, see [create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [edit Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) to register devices using the Autopatch groups device registration method. + +##### Supported scenarios when nesting other Azure AD groups Windows Autopatch also supports the following Azure AD nested group scenarios: Azure AD groups synced up from: -- On-premises Active Directory groups (Windows Server AD). -- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync). +- On-premises Active Directory groups (Windows Server AD) +- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync) + +The Azure AD groups apply to both the [Classic](#classic-device-registration-method) and the [Autopatch group device registration](#windows-autopatch-groups-device-registration-method) methods. > [!WARNING] > It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group. @@ -63,10 +88,13 @@ In the dual state, you end up having two Azure AD device records with different It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices). > [!WARNING] -> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices are not enrolled into the Intune service anymore. +> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices aren't enrolled into the Intune service anymore. ## Prerequisites for device registration +> [!IMPORTANT] +> The following prerequisites apply to both the [Classic](#classic-device-registration-method) and the [Autopatch groups device registration](#windows-autopatch-groups-device-registration-method) methods. + To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: - Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). @@ -83,31 +111,34 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set > [!NOTE] > Windows Autopatch doesn't support device emulators that don't generate the serial number, model and manufacturer information. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** prerequisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. -> [!NOTE] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready, Not ready and Not registered tabs +## About the Registered, Not ready and Not registered tabs -Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so IT admin knows where to go to monitor, and fix potential device health issues. +> [!IMPORTANT] +> Devices registered through either the [Classic](#classic-device-registration-method) or the [Autopatch groups device registration method](#windows-autopatch-groups-device-registration-method) can appear in the Registered, Not ready, or Not registered tabs. When devices successfully register with the service, the devices are listed in the Registered tab. However, even if the device(s)is successfully registered, they can be part of Not ready tab. If devices fail to register, the devices are listed in the Not registered tab. + +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness statuses so the IT admin knows where to go to monitor, and fix potential device health issues. | Device blade tab | Purpose | Expected device readiness status | | ----- | ----- | ----- | -| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Registered | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | | Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | -| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Prerequisites failed | ## Device readiness statuses -See all possible device readiness statuses in Windows Autopatch: +The following are the possible device readiness statuses in Windows Autopatch: | Readiness status | Description | Device blade tab | | ----- | ----- | ----- | -| Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Active | Devices with this status successfully passed all prerequisite checks and then successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Registered | | Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | | Inactive | Devices with this status haven't communicated with Microsoft Intune in the last 28 days. | Not ready | -| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | +| Prerequisites failed | Devices with this status haven't passed one or more prerequisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -120,7 +151,7 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process: -| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | +| Azure AD Group name | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions | | ----- | ----- | ----- | ----- | ----- | ----- | | Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes | | Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No | @@ -133,30 +164,36 @@ If you want to assign less-privileged user accounts to perform specific tasks in Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management. +2. Assign devices to the [two deployment ring sets](../deploy/windows-autopatch-groups-overview.md#about-deployment-rings) and other groups required for software update management. For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). -## Steps to register devices +## Steps to register devices using the classic method + +> [!IMPORTANT] +> For more information, see [Create Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group) and [Edit Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group) on how to register devices using the Autopatch groups device registration method. + +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. + +For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). -Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices should be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. -**To register devices with Windows Autopatch:** +**To register devices with Windows Autopatch using the classic method:** 1. Go to the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. -4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Registered** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Registered tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Registered** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. +> You can also use the **Discover Devices** button in either one of the **Registered**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads @@ -177,11 +214,14 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). +> [!IMPORTANT] +> Starting in May 2023, Windows 365 Cloud PC devices are assigned to two deployment ring sets, the service-based and the software-based deployment rings. Additionally, once registered with Windows Autopatch, Windows 365 Cloud PC devices are automatically added to the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). For more information, see [service-based versus software update-based deployment ring sets](../deploy/windows-autopatch-groups-overview.md#service-based-versus-software-update-based-deployment-rings). + ### Windows Autopatch on Azure Virtual Desktop workloads -Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing [device registration process](#steps-to-register-devices). +Windows Autopatch is available for your Azure Virtual Desktop workloads. Enterprise admins can provision their Azure Virtual Desktop workloads to be managed by Windows Autopatch using the existing device registration process. -Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. +Windows Autopatch provides the same scope of service with virtual machines as it does with [physical devices](#steps-to-register-devices-using-the-classic-method). However, Windows Autopatch defers any Azure Virtual Desktop specific support to [Azure support](#contact-support-for-device-registration-related-incidents), unless otherwise specified. #### Prerequisites @@ -199,7 +239,7 @@ The following Azure Virtual Desktop features aren’t supported: #### Deploy Autopatch on Azure Virtual Desktop -Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices). For more information, see [Register your devices](#steps-to-register-devices). +Azure Virtual Desktop workloads can be registered into Windows Autopatch by using the same method as your [physical devices](#steps-to-register-devices-using-the-classic-method). For ease of deployment, we recommend nesting a dynamic device group in your Autopatch device registration group. The dynamic device group would target the **Name** prefix defined in your session host, but **exclude** any Multi-Session Session Hosts. For example: diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png b/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png new file mode 100644 index 0000000000..44580586e9 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-contoso-chicago-example.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png b/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png new file mode 100644 index 0000000000..73a32e8635 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-default-autopatch-group.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png b/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png new file mode 100644 index 0000000000..259dcafcdf Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-finance-department-example.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png new file mode 100644 index 0000000000..fe35744633 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-1.png differ diff --git a/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png new file mode 100644 index 0000000000..bd2b2ec92c Binary files /dev/null and b/windows/deployment/windows-autopatch/media/autopatch-groups-manage-feature-release-case-2.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png index a2e0785741..f77684b8c4 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-overview.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index f5a8284a8c..abd0c884b1 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png new file mode 100644 index 0000000000..1be4b61b37 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-groups-high-level-architecture-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png deleted file mode 100644 index 17b51a71f8..0000000000 Binary files a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png and /dev/null differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md new file mode 100644 index 0000000000..fe0551604d --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-device-alerts.md @@ -0,0 +1,103 @@ +--- +title: Device alerts +description: Provide notifications and information about the necessary steps to keep your devices up to date. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Device alerts (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +Windows Autopatch and Windows Updates use Device alerts to provide notifications and information about the necessary steps to keep your devices up to date. In Windows Autopatch reporting, every device is provided with a section for alerts. If no alerts are listed, no action is needed. Navigate to **Reports** > **Quality update status** or **Feature update status** > **Device** > select the **Device alerts** column. The provided information will help you understand: + +- The action(s) that have either been performed by Microsoft and/or Windows Autopatch to keep the device properly updated. +- The actions you must perform so the device can properly be updated. + +> [!NOTE] +> At any given point, one or both of these actions can be present in your tenant. + +## Windows Autopatch alerts + +Windows Autopatch alerts are alerts specific to the Windows Autopatch service. These alerts include: + +- [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) +- [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) + +## Windows quality and feature update alerts + +These alerts represent data reported to the Windows Update service related to Windows quality and feature updates. These alerts can help identify actions that must be performed if an update doesn't apply as expected. Alerts are only provided by device that actively reports to the Windows Update service. + +## Customer and Microsoft Actions + +Windows Autopatch assigns alerts to either Microsoft Action or Customer Action. These assignments give a clear understanding of who has the responsibility to remediate the alert. + +| Assignment | Description | +| ----- | ----- | +| Microsoft Action | Refers to the responsibility of the Windows Autopatch service to remediate. The actions are performed by Windows Autopatch automatically. | +| Customer Action | Refers to your responsibility to carry out the appropriate action(s) to resolve the reported alert. | + +## Alert resolutions + +Alert resolutions are provided through the Windows Update service and provide the reason why an update didn’t perform as expected. The recommended actions are general recommendations and if additional assistance is needed, [submit a support request](../operate/windows-autopatch-support-request.md) + +| Alert message | Description | Windows Autopatch recommendation(s) | +| ----- | ----- | ----- | +| `CancelledByUser` | User canceled the update | The Windows Update service has reported the update was canceled by the user.

            It's recommended to work with the end user to allow updates to execute as scheduled.

            | +| `DamagedMedia` | The update file or hard drive is damaged | The Windows Update service has indicated the update payload might be damaged or corrupt.

            It's recommended to run `Chkdsk /F` on the device with administrator privileges, then retry the update. For more information, see [chkdsk](/windows-server/administration/windows-commands/chkdsk?tabs=event-viewer).

            | +| `DeploymentConflict` | Device is in more than one deployment of the same update type. Only the first deployment assigned is effective. | The Windows Update service has reported a policy conflict.

            For more information, see the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DeviceRegistrationInvalidAzureADDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Azure AD Device ID. | The Windows Update service has reported a device registration issue.

            For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DeviceRegistrationInvalidGlobalDeviceId` | The device isn't able to register or authenticate properly with Windows Update because of an invalid Global Device ID. |The Windows Update service has reported that the MSA Service may be disabled preventing Global Device ID assignment.

            Check that the MSA Service is running or able to run on device.

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DeviceRegistrationIssue` | The device isn't able to register or authenticate properly with Windows Update. | The Windows Update service has reported a device registration issue.

            For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DeviceRegistrationNoTrustType` | The device isn't able to register or authenticate properly with Windows Update because it can't establish Trust. | The Windows Update service has reported a device registration issue.

            For more information, see [Windows Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DiskFull` | The installation couldn't be completed because the Windows partition is full. | The Windows Update service has reported there's insufficient disk space to perform the update. Free up disk space on the Windows partition and retry the installation.

            For more information, see [Free up space for Windows Updates](https://support.microsoft.com/windows/free-up-space-for-windows-updates-429b12ba-f514-be0b-4924-ca6d16fa1d65).

            | +| `DownloadCancelled` | Windows Update couldn't download the update because the update server stopped the connection. | The Windows Update service has reported an issue with your update server. Validate your network is working and retry the download. If the alert persists, review your network configuration to make sure that this computer can access the internet.

            For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).

            | +| `DownloadConnectionIssue` | Windows Update couldn't connect to the update server and the update couldn't download. | The Windows Update service has reported an issue connecting to Windows Update. Review your network configuration, and to make sure that this computer can access the internet and Windows Update Online.

            For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DownloadCredentialsIssue` | Windows Update couldn't download the file because the Background Intelligent Transfer Service ([BITS](/windows/win32/bits/about-bits)) couldn't connect to the internet. A proxy server or firewall on your network might require credentials. | The Windows Update service Windows has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client. Retry the download.

            Review your network configuration to make sure that this computer can access the internet. Validate and/or allowlist Windows Update and Delivery Optimization endpoint.

            For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DownloadIssue` | There was an issue downloading the update. | The Windows Update service has reported it failed to connect to Windows Updates. This can often be an issue with an Application Gateway or HTTP proxy, or an issue on the client.

            For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5).and [Endpoints for Delivery Optimization and Windows Update](/windows/deployment/do/waas-delivery-optimization-faq#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DownloadIssueServiceDisabled` | There was a problem with the Background Intelligent Transfer Service (BITS). The BITS service or a service it depends on might be disabled. | The Windows Updates service has reported that the BITS service is disabled. In the local client services, make sure that the Background Intelligent Transfer Service is enabled. If the service isn't running, try starting it manually. For more information, see [Issues with BITS](/windows/win32/bits/about-bits).

            If it will not start, check the event log for errors or [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `DownloadTimeout` | A timeout occurred while Windows tried to contact the update service or the server containing the update's payload. | The Windows Update service has reported it attempted to download the payload and the connection timed out.

            Retry downloading the payload. If not successful, review your network configuration to make sure that this computer can access the internet.

            For more information, see [Check your network connection status](https://support.microsoft.com/windows/check-your-network-connection-status-efb4fb41-f751-567a-f60f-aac9114659a5). | +| `EndOfService` | The device is on a version of Windows that has passed its end of service date. | Windows Update service has reported the current version is past End of Service. Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

            For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

            | +| `EndOfServiceApproaching` | The device is on a version of Windows that is approaching its end of service date. | Update device to a version that is currently serviced in [Feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md).

            For more information on OS versioning, see [Windows 10 release information](/windows/release-health/release-information).

            | +| `FailureResponseThreshold` | The failure response threshold setting was met for a deployment to which the device belongs. | The Windows Update service has reported the client has hit the Failure Response Threshold. Consider pausing the deployment and assess for issues. If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md). | +| `FileNotFound` | The downloaded update files can't be found. The Disk Cleanup utility or a non-Microsoft software cleaning tool might have removed the files during cleanup. | Windows Update has reported that the update files couldn't be found, download the update again, and then retry the installation.

            This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `Incompatible` | The system doesn't meet the minimum requirements to install the update. | The Windows Update service has reported the update is incompatible with this device for more details please review the `ScanResult.xml` file in the `C:\WINDOWS\PANTHER folder for "Block Type=Hard`.

            If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `IncompatibleArchitecture` | This update is for a different CPU architecture. | The Windows Update service has reported the update architecture doesn't match the destination architecture, make sure the target operating system architecture matches the host operating system architecture.

            This is **not** typical for Windows Update based environments.

            If this is occurring on a Windows Autopatch managed device, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `IncompatibleServicingChannel` | Device is in a servicing channel that is incompatible with a deployment to which the device belongs. | The Windows Update service has reported the servicing channel on the client isn't compatible with the targeted payload.

            We recommend configuring the device's servicing channel to the [Semi-Annual Enterprise Channel](/windows-server/get-started/servicing-channels-comparison#semi-annual-channel).

            | +| `InstallAccessDenied` | Installer doesn't have permission to access or replace a file. The installer might have tried to replace a file that an antivirus, anti-malware, or a backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations, ensure no other service has a lock or handle on the windows update client folders and retry the installation.

            This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

            | +| `InstalledCancelled` | The installation was canceled. | The Windows Update service has reported the update was canceled by the user.

            It's recommended to work with the end user to allow updates to execute as scheduled.

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `InstallFileLocked` | Installer couldn't access a file that is already in use. The installer might have tried to replace a file that an antivirus, anti-malware, or backup program is currently scanning. | The Windows Update service has reported it couldn't access the necessary system locations.

            Check the files under the `%SystemDrive%\$Windows.~bt` directory and retry the installation.

            This can often occur with third party security products. For more information, see [Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)](https://support.microsoft.com/topic/virus-scanning-recommendations-for-enterprise-computers-that-are-running-windows-or-windows-server-kb822158-c067a732-f24a-9079-d240-3733e39b40bc).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `InstallIssue` | There was an issue installing the update. | The Windows Update service has reported the update installation has failed.

            If the alert persists, run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, then retry the update.

            For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `InstallIssueRedirection` | A known folder that doesn't support redirection to another drive might have been redirected to another drive. | The Windows Update service has reported that the Windows Update file location may be redirected to an invalid location. Check your Windows Installation, and retry the update.

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `InstallMissingInfo` | Windows Update doesn't have the information it needs about the update to finish the installation. | The Windows Update service has reported that another update may have replaced the one you're trying to install. Check the update, and then try reinstalling it. | +| `InstallOutOfMemory` | The installation couldn't be completed because Windows ran out of memory. | The Windows Update service has reported the system doesn't have sufficient system memory to perform the update.

            Restart Windows, then try the installation again.

            If it still fails, allocate more memory to the device, or increase the size of the virtual memory pagefile(s). For more information, see [How to determine the appropriate page file size for 64-bit versions of Windows](/troubleshoot/windows-client/performance/how-to-determine-the-appropriate-page-file-size-for-64-bit-versions-of-windows).

            | +| `InstallSetupError` | Windows Setup encountered an error while installing. | The Windows Update service has reported an error during installation.Review the last reported HEX error code in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) to further investigate.

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `PolicyConflict` | There are client policies (MDM, GP) that conflict with Windows Update settings. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `PolicyConflictDeferral` | The Deferral Policy configured on the device is preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `PolicyConflictPause` | Updates are paused on the device, preventing the update from installing. | The Windows Update service has reported a policy conflict. Review the [Windows Autopatch Policy Health dashboard](../operate/windows-autopatch-policy-health-and-remediation.md).

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | +| `PostRestartIssue` | Windows Update couldn't determine the results of installing the update. The error is usually false, and the update probably succeeded. | The Windows Update Service has reported the update you're trying to install isn't available.

            No action is required.

            If the update is still available, retry the installation.

            | +| `RollbackInitiated` | A rollback was started on this device, indicating a catastrophic issue occurred during the Windows Setup install process. | The Windows Update service has reported a failure with the update. Run the Setup Diagnostics Tool on the Device or review the HEX error in [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md). **Don’t** retry the installation until the impact is understood.

            For more information, see [SetupDiag - Windows Deployment](/windows/deployment/upgrade/setupdiag).

            | +| `SafeguardHold` | Update can't install because of a known Safeguard Hold. | The Windows Update Service has reported a [Safeguard Hold](/windows/deployment/update/update-compliance-feature-update-status#safeguard-holds) which applies to this device.

            For more information about safeguards, see [Windows 10/11 release information for the affected version(s)](/windows/release-health/release-information).

            | +| `UnexpectedShutdown` | The installation was stopped because a Windows shutdown or restart was in progress. | The Windows Update service has reported Windows was unexpectedly restarted during the update process.

            No action is necessary the update should retry when windows is available.

            If the alert persists, ensure the device remains on during Windows installation.

            | +| `VersionMismatch` | Device is on a version of Windows that wasn't intended by Windows Update. | The Windows Update service has reported that the version of Windows wasn't intended.

            Confirm whether the device is on the intended version.

            | +| `WindowsRepairRequired` | The current version of Windows needs to be repaired before it can be updated. | The Windows Update service has indicated that the service is in need of repair. Run the Startup Repair Tool on this device.

            For more information, see [Windows boot issues – troubleshooting](/troubleshoot/windows-client/performance/windows-boot-issues-troubleshooting#method-1-startup-repair-tool).

            | +| `WUBusy` | Windows Update can't do this task because it's busy. | The Windows Update service has reported that Windows Update is busy. No action is needed. Restart Windows should and retry the installation. | +| `WUComponentMissing` | Windows Update might be missing a component, or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.

            Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges, to repair these components. Then retry the update.

            For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.

            | +| `WUDamaged` | Windows Update or the update file might be damaged. | The Windows Update service has reported key components for windows update are missing.

            Run "`dism /online /cleanup-image /restorehealth`" on the device with administrator privileges to repair these components. Then retry the update.

            For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) if the command fails. A reinstall of Windows may be required.

            | +| `WUDecryptionIssue` | Windows Update couldn't decrypt the encrypted update file because it couldn't find the proper key. | The Windows Update service has reported it couldn't decrypt the update payload.

            This alert could be a network transit error and may be resolved on its own. If the alert persists, validate any network Riverbeds, Application or http proxies and retry.

            | +| `WUDiskError` | Windows Update encountered an error while reading or writing to the system drive. | The Windows Update service has reported an alert reading or writing to the system disk. This alert is often a client issue with the target system. We recommend running the Windows Update Troubleshooter on the device. Retry the installation.

            For more information, see [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd).

            | +| `WUIssue` | Windows Update couldn't understand the metadata provided by the update service. This error usually indicates a problem with the update. | The Windows Update service has reported an issue with the Update payload. This could be a transient alert.

            If the alert persists, [submit a support request](../operate/windows-autopatch-support-request.md).

            | + +## Additional resources + +- [Troubleshoot problems updating Windows](https://support.microsoft.com/windows/troubleshoot-problems-updating-windows-188c2b0f-10a7-d72f-65b8-32d177eb136c) +- [How to use the PC Health Check app](https://support.microsoft.com/windows/how-to-use-the-pc-health-check-app-9c8abd9b-03ba-4e67-81ef-36f37caa7844) +- [Windows Update Troubleshooter](https://support.microsoft.com/windows/windows-update-troubleshooter-19bc41ca-ad72-ae67-af3c-89ce169755dd) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md new file mode 100644 index 0000000000..fab7bbabbc --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -0,0 +1,213 @@ +--- +title: Manage Windows feature update releases +description: This article explains how you can manage Windows feature updates with Autopatch groups +ms.date: 05/05/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Manage Windows feature update releases: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +You can create custom releases for Windows feature update deployments in Windows Autopatch. + +## Before you begin + +Before you start managing custom Windows feature update releases, consider the following: + +- If you’re planning on using either the [Default or Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#key-concepts) ensure: + - The Default Autopatch group has all deployment rings and deployment cadences you need. + - You have created all your Custom Autopatch groups prior to creating custom releases. +- Review [Windows feature update prerequisites](/mem/intune/protect/windows-10-feature-updates#prerequisites). +- Review the [Windows feature updates policy limitations](/mem/intune/protect/windows-10-feature-updates#limitations-for-feature-updates-for-windows-10-and-later-policy). + +## About the auto-populate automation for release phases + +By default, the deployment rings of each Autopatch group will be sequentially assigned to a phase. For example, the first deployment ring of each Autopatch group is assigned to Phase 1, and the second deployment ring of each Autopatch group is assigned to Phase 2, etc. + +The following table explains the auto-populating assignment of your deployments rights if you have two Autopatch groups. One Autopatch group is named Finance and the other is named Marketing; each Autopatch group has four (Finance) and five (Marketing) deployment rings respectively. + +| Phases | Finance | Marketing +| ----- | ----- | ----- | +| Phase 1 | Test | Test | +| Phase 2 | Ring1 | Ring1 | +| Phase 3 | Ring2 | Ring2 | +| Phase 4 | Last | Ring3 | + +If the Autopatch groups are edited after a release is created (Active status), the changes to the Autopatch group won’t be reflected unless you create a new custom release. + +If you wish to change the auto-populating assignment of your deployment rings to release phases, you can do so by adding, removing, or editing the auto-populated phases. + +### More information about the completion date of a phase + +The goal completion date of a phase is calculated using the following formula: + +` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days).` + +This formula is only applicable for **Deadline-driven** not for Scheduled-driven deployment cadences. For more information, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). + +> [!IMPORTANT] +> By default, both the **Deadline for feature updates** and the **Grace period** values are set by Windows Autopatch in every [Update rings for Windows 10 and later policy](/mem/intune/protect/windows-10-update-rings) created by Autopatch groups. + +### How to use the Windows feature update blade + +Use the Windows feature update blade to check in the overall status of the [default release](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) and the custom ones you create. + +**To access the Windows feature update blade:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, under the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, you can see all the information about the releases. The columns are described in the following table: + +| Status | Description | +| ----- | ----- | +| Release name | Name of the release | +| Version to deploy | Version to deploy for the applicable release or phase | +| Status | Status of the applicable release or phase:
            • Scheduled
            • Active
            • Inactive
            • Paused
            • Canceled
            | +| First deployment |
            • The date the deployment for the applicable release or phase will begin.
            • Feature update policy for Windows 10 and later is created 24 hours prior to the first deployment date. The service automation runs twice a day at 4:00AM and 4:00PM (UTC).
            • Not all devices within a phase will be offered the feature update on the same date when using gradual rollout.
            | +| Goal completion date | The date the devices within the release or phases are expected to finish updating. The completion date is calculated using the following formula:

            ` + ( - 1) * Days in between groups (7) + Deadline for feature updates (5) + Grace Period (2)`

            | + +#### About release and phase statuses + +##### Release statuses + +A release is made of one or more phases. The release status is based on the calculation and consolidation of each phase status. + +The release statuses are described in the following table: + +| Release status | Definition | Options | +| ----- | ----- | ----- | +| Scheduled | Release is scheduled and not all phases have yet created its Windows feature update policies |
            • Releases with the **Scheduled status** can't be canceled but can have its deployment cadence edited as not all phases have yet created its Windows feature update policies.
            • Autopatch groups and its deployment rings that belong to a **Scheduled** release can't be assigned to another release.
            | +| Active | All phases in the release are active. This means all phases have reached their first deployment date, which created the Windows feature update policies. |
            • Release can be paused but can't be edited or canceled since the Windows feature update policy was already created for its phases.
            • Autopatch groups and their deployment rings can be assigned to another release.
            | +| Inactive | All the Autopatch groups within the release have been assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |
            • Release can be viewed as a historical record.
            • Releases can't be deleted, edited, or canceled.
            | +| Paused | All phases in the release are paused. The release will remain paused until you resume it. |
            • Releases with Paused status can't be edited or canceled since the Windows feature update policy was already created for its phases.
            • Release can be resumed.
            | + +##### Phase statuses + +A phase is made of one or more Autopatch group deployment rings. Each phase reports its status to its release. + +> [!IMPORTANT] +> The determining factor that makes a phase status transition from **Scheduled** to **Active** is when the service automatically creates the Windows feature update policy for each Autopatch group deployment ring. Additionally, the phase status transition from **Active** to **Inactive** occurs when Windows feature update policies are unassigned from the Autopatch groups that belong to a phase. This can happen when an Autopatch group and its deployment rings are re-used as part of a new release. + +| Phase status | Definition | +| ----- | ----- | +| Scheduled | The phase is scheduled but hasn’t reached its first deployment date yet. The Windows feature update policy hasn’t been created for the respective phase yet. | +| Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. | +| Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. | +| Paused | Phase is paused. You must resume the phase. | + +#### Details about Windows feature update policies + +Windows Autopatch creates one Windows feature update policy per phase using the following naming convention: + +`Windows Autopatch – DSS policy – – Phase ` + +These policies can be viewed in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). + +The following table is an example of the Windows feature update policies that were created for phases within a release: + +| Policy name | Feature update version | Rollout options | First deployment date| Final deployment date availability | Day between groups | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch - DSS Policy - My feature update release – Phase 1 | Windows 10 21H2 | Make update available as soon as possible | April 24, 2023 | April 24, 2023 | N/A | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 2 | Windows 10 21H2 | Make update available as soon as possible | June 26, 2023 | July 17, 2023 | 7 | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 3 | Windows 10 21H2 | Make update available as soon as possible | July 24, 2023 | August 14, 2023 | 7 | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 4 | Windows 10 21H2 | Make update available as soon as possible | August 28, 2023 | September 10, 2023 | 7 | June 10, 2024 | +| Windows Autopatch - DSS Policy - My feature update release – Phase 5 | Windows 10 21H2 | Make update available as soon as possible | September 25, 2023 | October 16, 2023 | 7 | June 10, 2024 | + +## Create a custom release + +**To create a custom release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, select **Release schedule**, then **Windows feature updates**. +1. In the **Windows feature updates** blade, select **New release**. +1. In the **Basics** page: + 1. Enter a **Name** for the custom release. + 2. Select the **Version** to deploy. + 3. Enter a **Description** for the custom release. + 4. Select **Next**. +1. In the **Autopatch groups** page, choose one or more existing Autopatch groups you want to include in the custom release, then select Next. +1. You can't choose Autopatch groups that are already part of an existing custom release. Select **Autopatch groups assigned to other releases** to review existing assignments. +1. In the Release phases page, review the number of auto-populated phases. You can Edit, Delete and Add phase based on your needs. Once you’re ready, select **Next**. **Before you proceed to the next step**, all deployment rings must be assigned to a phase, and all phases must have deployment rings assigned. +1. In the **Release schedule** page, choose **First deployment date**, and the number of **Gradual rollout groups**, then select **Next**. **You can only select the next day**, not the current day, as the first deployment date. The service creates feature update policy for Windows 10 and later twice a day at 4:00AM and 4:00PM (UTC) and can’t guarantee that the release will start at the current day given the UTC variance across the globe. + 1. The **Goal completion date** only applies to the [Deadline-driven deployment cadence type](../operate/windows-autopatch-groups-windows-update.md#deadline-driven). The Deadline-drive deployment cadence type can be specified when you configure the Windows Updates settings during the Autopatch group creation/editing flow. + 2. Additionally, the formula for the goal completion date is ` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`. +1. In the **Review + create** page, review all settings. Once you’re ready, select **Create**. + +## Edit a release + +> [!NOTE] +> Only custom releases that have the **Scheduled** status can be edited. A release phase can only be edited prior to reaching its first deployment date. Additionally, you can only edit the deployment dates when editing a release. + +**To edit a custom release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > Edit to customize your gradual rollout of your feature updates release, then select **Save**. + 1. Only the release schedule can be customized when using the edit function. You can't add or remove Autopatch groups or modify the phase order when editing a release. +1. Select **Review + Create**. +1. Select **Apply** to save your changes. + +## Pause and resume a release + +> [!CAUTION] +> You should only pause and resume [Windows quality](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. + +> [!IMPORTANT] +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates. For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned). + +**To pause or resume a release:** + +> [!NOTE] +> If you've paused an update, the specified release will have the **Paused** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. The **Paused by Service Pause** status **only** applies to Windows quality updates. Windows Autopatch doesn't pause Windows feature updates on your behalf. + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > **Pause** or **Resume** to pause or resume your feature updates release. +1. Select a reason from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. If you're resuming an update, you can select one or more deployment rings. +1. Select **Pause deployment** or **Resume deployment** to save your changes. + +## Cancel a release + +> [!IMPORTANT] +> You can only cancel a release under the Scheduled status. You cannot cancel a release under the **Active**, **Inactive** or **Paused** statuses. + +**To cancel a release:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release schedule** tab, select **Windows feature updates**. +1. In the **Windows feature updates** blade, select the **horizontal ellipses (…)** > **Cancel** to cancel your feature updates release. +1. Select a reason for cancellation from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. Select **Cancel deployment** to save your changes. + +## Roll back a release + +> [!CAUTION] +> Do **not** use Microsoft Intune’s end-user flows to rollback Windows feature update deployments for Windows Autopatch managed devices. If you need assistance with rolling back deployments, [submit a support request](../operate/windows-autopatch-support-request.md). + +Windows Autopatch **doesn’t** support the rollback of Windows feature updates through its end-user experience flows. + +## Contact support + +If you’re experiencing issues related to Windows feature update deployments, [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md new file mode 100644 index 0000000000..e6730c53fb --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-update-management.md @@ -0,0 +1,61 @@ +--- +title: Software update management for Autopatch groups +description: This article provides an overview of how updates are handled with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: overview +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Software update management: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

            The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


            **To opt-in to use Windows Autopatch groups:**
            1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
            2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
            3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
            + +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. + +## Software update workloads + +| Software update workload | Description | +| ----- | ----- | +| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see:
            • [Windows Autopatch groups experience](../operate/windows-autopatch-groups-windows-quality-update-overview.md)
            • [Classic experience](../operate/windows-autopatch-windows-quality-update-overview.md) | +| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see:
              • [Windows Autopatch groups experience](windows-autopatch-groups-windows-feature-update-overview.md)
              • [Classic experience](windows-autopatch-windows-feature-update-overview.md)
              | +| Anti-virus definition | Updated with each scan. | +| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). This software update workload uses the classic experience. | +| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). This software update workload uses the classic experience. | +| Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). This software update workload uses the classic experience. | + +## Autopatch groups + +Autopatch groups help Microsoft Cloud-Managed services meet all organizations where they are at in their update management journey. + +Autopatch groups is a logical container that groups several [Azure AD groups](/azure/active-directory/fundamentals/active-directory-groups-view-azure-portal), and software update policies, such as Windows Update rings and feature update policies, together. + +For more information on key benefits and how to use Autopatch groups, see [Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md). + +## Windows quality updates + +Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. + +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. For more information, see [Windows quality updates overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md). + +## Windows feature updates + +You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. + +The Window feature update release management experience makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. + +For more information, see [Windows feature updates overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md). + +## Reports + +Using [Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md), you can monitor and remediate Windows Autopatch managed devices that are Not up to Date and resolve any device alerts to bring Windows Autopatch managed devices back into compliance. + +## Policy health and remediation + +Windows Autopatch deploys Intune policies for Windows quality and feature update management. Windows Update policies must remain healthy for devices to receive Windows updates and stay up to date. We continuously monitor the health of the policies and raise alerts and provide remediation actions. For more information, see [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) and [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md new file mode 100644 index 0000000000..b49b0c5ba4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -0,0 +1,169 @@ +--- +title: Windows feature updates overview with Autopatch groups +description: This article explains how Windows feature updates are managed with Autopatch groups +ms.date: 05/03/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows feature updates overview: Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

              The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


              **To opt-in to use Windows Autopatch groups:**
              1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
              2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
              3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
              + +Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. + +Windows feature updates consist of: + +- Keeping Windows devices protected against behavioral issues. +- Providing new features to boost end-user productivity. + +Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. + +## Service level objective + +Windows Autopatch’s service level objective for Windows feature updates aims to keep **95%** of eligible devices on the targeted Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) for its default and global releases maintained by the service, and custom releases created and managed by you. + +## Device eligibility criteria + +Windows Autopatch’s device eligibility criteria for Windows feature updates aligns with [Windows Update for Business and Microsoft Intune’s device eligibility criteria](/mem/intune/protect/windows-10-feature-updates#prerequisites). + +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. + +## Key benefits + +- Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date. You can focus on running your core businesses while Windows Autopatch runs update management on your behalf. +- You’re in control of telling Windows Autopatch when your organization is ready to move to the next Windows OS version. + - Combined with custom releases, Autopatch Groups gives your organization great control and flexibility to help you plan your gradual rollout in a way that works for your organization. +- Simplified end-user experience with rich controls for gradual rollouts, deployment cadence and speed. +- No need to manually modify the default Windows feature update policies (default release) to be on the Windows OS version your organization is currently ready for. +- Allows for scenarios where you can deploy a single release across several Autopatch groups and its deployment rings. + +## Key concepts + +- A release is made of one or more deployment phases and contains the required OS version to be gradually rolled out throughout its deployment phases. +- A phase (deployment phase) is made of one or more Autopatch group deployment rings. A phase: + - Works as an additional layer of deployment cadence settings that can be defined by IT admins (only for Windows feature updates) on top of Autopatch group deployment rings (Windows update rings policies). + - Deploys Windows feature updates across one or more Autopatch groups. +- There are three types of releases: + - Default + - Global + - Custom + +### Default release + +Windows Autopatch’s default Windows feature update release is a service-driven release that enforces the minimum Windows OS version currently serviced by the Windows servicing channels for the deployment rings in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group). + +> [!TIP] +> Windows Autopatch allows you to [create custom Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release). + +When devices are registered by manually adding them to the Windows Autopatch Device Registration Azure AD assigned group, devices are assigned to deployment rings as part of the default Autopatch group. Each deployment ring has its own Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service. + +The policies: + +- Contain the minimum Windows 10 version currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum Windows OS version is **Windows 10 21H2**. +- Set a bare minimum Windows OS version required by the service once devices are registered with the service. + +If the device is registered with Windows Autopatch, and the device is: + +- Below the service's currently targeted Windows feature update, that device will be automatically upgraded to the service's target version when the device meets the [device eligibility criteria](#device-eligibility-criteria). +- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades available to that device. + +#### Policy configuration for the default release + +If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Policy name | Phase mapping | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – DSS Policy [Test] | Phase 1 | Windows 10 21H2 | Make update available as soon as possible | May 9, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [First] | Phase 2 | Windows 10 21H2 | Make update available as soon as possible | May 16, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Fast] | Phase 3 | Windows 10 21H2 | Make update available as soon as possible | May 23, 2023 | N/A | N/A | June 10, 2024 | +| Windows Autopatch – DSS Policy [Broad] | Phase 4 | Windows 10 21H2 | Make update available as soon as possible | May 30, 2023 | N/A | N/A | June 10, 2024 | + +> [!NOTE] +> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). + +### Global release + +Windows Autopatch’s global Windows feature update release is a service-driven release. Like the [default release](#default-release), the Global release enforces the [minimum Windows OS version currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). + +There are two scenarios that the Global release is used: + +| Scenario | Description | +| ----- | ----- | +| Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).

              A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.

              | +| Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).

              The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.

              | + +#### Policy configuration values + +See the following table on how Windows Autopatch configures the values for its global Windows feature update policy. If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431): + +| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch – Global DSS Policy [Test] | Windows 10 21H2 | Make update available as soon as possible | N/A | N/A | N/A | June 10, 2024 | + +> [!NOTE] +> Gradual rollout settings aren't configured in the default Windows Update feature policy. If the date of the final group availability is changed to be a past date, all remaining devices are offered the update as soon as possible. For more information, see [rollout options for Windows Updates in Microsoft Intune](/mem/intune/protect/windows-update-rollout-options#make-updates-available-gradually). + +### Differences between the default and global Windows feature update policies + +> [!IMPORTANT] +> Once you create a custom Windows feature update release, both the global and the default Windows feature update policies are unassigned from Autopatch group’s deployment rings behind the scenes. + +The differences in between the global and the default Windows feature update policy values are: + +| Default Windows feature update policy | Global Windows feature update policy | +| ----- | ----- | +|
              • Set by default with the Default Autopatch group and assigned to Test, Ring1, Ring2, Ring3. The default policy isn't automatically assigned to the Last ring in the Default Autopatch group.
              • The Windows Autopatch service keeps its minimum Windows OS version updated following the recommendation of minimum Windows OS version [currently serviced by the Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).
              |
              • Set by default and assigned to all new deployment rings added as part of the Default Autopatch group customization.
              • Set by default and assigned to all deployment rings created as part of Custom Autopatch groups.
              + +### Custom release + +A custom release is the release that you create to tell Windows Autopatch how you want the service to manage Windows OS upgrades on your behalf. + +Custom releases gives you flexibility to do Windows OS upgrades on your pace, but still relying on Windows Autopatch to give you insights of how your OS upgrades are going and additional deployment controls through the Windows feature updates release management experience. + +When a custom release is created and assigned to Autopatch groups, either the default or global releases are unassigned to avoid feature update policy for Windows 10 and later conflicts. + +For more information on how to create a custom release, see [Manage Windows feature update release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#create-a-custom-release). + +### About Windows Update rings policies + +Feature update policies work with Windows Update rings policies. Windows Update rings policies are created for each deployment ring for the [Default or a Custom Autopatch group](../deploy/windows-autopatch-groups-overview.md#key-concepts) based on the deployment settings you define. The policy name convention is `Windows Autopatch Update Policy – `. + +The following table details the default Windows Update rings policy values that affect either the default or custom Windows feature updates releases: + +| Policy name | Azure AD group assignment | Quality updates deferral in days | Feature updates deferral in days | Feature updates uninstall window in days | Deadline for quality updates in days | Deadline for feature updates in days | Grace period | Auto restart before deadline | +| ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | ----- | +| Windows Autopatch Update Policy - default - Test | Windows Autopatch - Test | 0 | 0 | 30 | 0 | 5 | 0 | Yes | +| Windows Autopatch Update Policy - default - Ring1 | Windows Autopatch - Ring1 | 1 | 0 | 30 | 2 | 5 |2 | Yes | +| Windows Autopatch Update Policy - default - Ring2 | Windows Autopatch - Ring2 | 6 | 0 | 30 | 2 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Ring3 | Windows Autopatch - Ring3 | 9 | 0 | 30 | 5 | 5 | 2 | Yes | +| Windows Autopatch Update Policy - default - Last | Windows Autopatch - Last | 11 | 0 | 30 | 3 | 5 | 2 | Yes | + +> [!IMPORTANT] +> When you create a custom Windows feature update release, new Windows feature update policies are:
              • Created corresponding to the settings you defined while creating the release.
              • Assigned to the Autopatch group’s deployment rings you select to be included in the release.
              + +## Common ways to manage releases + +### Use case #1 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd., and you need to gradually rollout of Windows 11’s latest version to several business units across your organization. | Custom Windows feature update releases deliver OS upgrades horizontally, through phases, to one or more Autopatch groups.
              Phases:
              • Set your organization’s deployment cadence.
              • Work like deployment rings on top of Autopatch group’s deployment rings. Phases group one or more deployment rings across one or more Autopatch groups.

              See the following visual for a representation of Phases with custom releases. | + +:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-1.png" alt-text="Manage Windows feature update release use case one" lightbox="../media/autopatch-groups-manage-feature-release-case-1.png"::: + +### Use case #2 + +| Scenario | Solution | +| ----- | ----- | +| You’re working as the IT admin at Contoso Ltd. and your organization isn’t ready to upgrade its devices to either Windows 11 or the newest Windows 10 OS versions due to conflicting project priorities within your organization.

              However, you want to keep Windows Autopatch managed devices supported and receiving monthly updates that are critical to security and the health of the Windows ecosystem.

              | Default Windows feature update releases deliver the minimum Windows OS upgrade vertically to each Windows Autopatch group (either [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) or [Custom](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups)). The Default Windows Autopatch group is pre-configured with the [default Windows feature update release](#default-release) and no additional configuration is required from IT admins as Autopatch manages the default release on your behalf.

              If you decide to edit the default Windows Autopatch group to add additional deployment rings, these rings receive a [global Windows feature update policy](#global-release) set to offer the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to devices. Every custom Autopatch group you create gets a [global Windows feature update policy](#global-release) that enforces the minimum Windows OS version [currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2).

              See the following visual for a representation of default releases.

              | + +:::image type="content" source="../media/autopatch-groups-manage-feature-release-case-2.png" alt-text="Manage Windows feature update release use case two" lightbox="../media/autopatch-groups-manage-feature-release-case-2.png"::: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md new file mode 100644 index 0000000000..fc177682b7 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-status-report.md @@ -0,0 +1,76 @@ +--- +title: Feature update status report +description: Provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Feature update status report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

              The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


              **To opt-in to use Windows Autopatch groups:**
              1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
              2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
              3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
              + +The Feature update status report provides a per device view of the current Windows OS upgrade status for all devices registered with Windows Autopatch.  + +**To view the Feature update status report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (preview)**. +1. Select the **Reports** tab. +1. Select **Feature update status**. + +## Report information + +### Default columns + +The following information is available as default columns in the Feature update status report: + +| Column name | Description | +| ----- | ----- | +| Device name | The name of the device. | +| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | +| Update status | The current update status for the device. For more information, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | +| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | +| Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | +| Readiness | The device readiness evaluation status. For more information, see [Post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | +| Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | + +### Optional columns + +The following information is available as optional columns in the Feature update status report: + +| Column name | Description | +| ----- | ----- | +| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device | +| Serial number | The current Intune recorded serial number for the device | +| Intune last check in time | The last time the device checked in to Intune | +| Service State | The Service State provided from Windows Update | +| Service Substate | The Service Substate provided from Windows Update | +| Client State | The Client State provided from Windows Update | +| Client Substate | The Client Substate provided from Windows Update | +| Servicing Channel | The Servicing Channel provided from Windows Update | +| User Last Logged On | The last user who logged on as reported from Intune | +| Primary User UPN | The Primary User UPN as reported from Intune | +| Hex Error Code | The hex error provided from Windows Update | + +> [!NOTE] +> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Search | Use to search by device name, Azure AD device ID or serial number | +| Sort | Select the **column headings** to sort the report data in ascending and descending order. | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Add filters** or at the top of the report to filter the results. | +| Columns | Select a column to add or remove the column from the report. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md new file mode 100644 index 0000000000..63c6483b4d --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md @@ -0,0 +1,52 @@ +--- +title: Windows feature update summary dashboard +description: Provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows feature update summary dashboard (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

              The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


              **To opt-in to use Windows Autopatch groups:**
              1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
              2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
              3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
              + +The summary dashboard provides a broader view of the current Windows OS update status for all devices registered with Windows Autopatch. + +The first part of the summary dashboard provides you with an all-devices trend report where you can follow the deployment trends within your organization. You can view if updates were successfully installed, failing, in progress, not ready or have their Windows feature update paused. + +**To view a generated summary dashboard for your Windows feature update deployments:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Reports** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Windows feature updates (preview)**. + +## Report information + +The following information is available in the summary dashboard: + +| Column name | Description | +| ----- | ----- | +| Release | The release name and its phases. For more information, see [Windows feature updates](../operate/windows-autopatch-groups-windows-feature-update-overview.md). | +| Version to deploy | The version being deployed to the device based on which Windows feature update release the device is assigned. | +| Device count | Total device count per Autopatch group or deployment ring. | +| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | +| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | +| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. | +| Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md new file mode 100644 index 0000000000..d6c6955600 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-trending-report.md @@ -0,0 +1,42 @@ +--- +title: Feature update trending report +description: Provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Feature update trending report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

              The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


              **To opt-in to use Windows Autopatch groups:**
              1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
              2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
              3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
              + +Windows Autopatch provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. + +**To view the Feature update trending report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows feature updates (public preview)**. +1. Select the **Reports** tab. +1. Select **Feature update trending**. + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | +| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. | +| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. | + +For a description of the displayed device status trends, see [Windows feature update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md new file mode 100644 index 0000000000..8f10b41042 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md @@ -0,0 +1,109 @@ +--- +title: Windows quality and feature update reports overview with Windows Autopatch Groups experience +description: This article details the types of reports available and info about update device eligibility, device update health, device update trends in Windows Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Windows quality and feature update reports overview: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

              The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


              **To opt-in to use Windows Autopatch groups:**
              1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
              2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
              3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
              + +## Windows quality reports + +The Windows quality reports provide you with information about: + +Quality update device readiness +Device update health +Device update alerts +Together, these reports provide insight into the quality update state and compliance of Windows devices that are enrolled into Windows Autopatch. + +The Windows quality report types are organized into the following focus areas: + +| Focus area | Description | +| ----- | ----- | +| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) provide the current update status summary for all devices.

              The [Quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) provides the current update status of all devices at the device level. | +| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) provides the update status trend of all devices over the last 90 days. | + +## Windows feature update reports + +The Windows feature update reports monitor the health and activity of your deployments and help you understand if your devices are maintaining update compliance targets. + +If update deployments aren’t successful, Windows Autopatch provides information on update deployment failures and who needs to remediate. Certain update deployment failures might require either Windows Autopatch to act on your behalf or you to fix the issue. + +The Windows feature update report types are organized into the following focus areas: + +| Focus area | Description | +| ----- | ----- | +| Organizational | The [Summary dashboard](../operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md) provides a broader view of the current Windows OS upgrade status for all devices registered with Windows Autopatch. | +| Operational | The [Feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) provides a per device view of the current Windows OS update status for all devices registered with Windows Autopatch. | +| Device trends | The [Quality update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) provides a visual representation of Windows OS upgrade trends for all devices over the last 90 days. | + +## Who can access the reports? + +Users with the following permissions can access the reports: + +- Global Administrator +- Intune Service Administrator +- Global Reader +- Services Support Administrator + +## About data latency + +The data source for these reports is Windows [diagnostic data](../overview/windows-autopatch-privacy.md#microsoft-windows-1011-diagnostic-data). The data typically uploads from enrolled devices once per day. Then, the data is processed in batches before being made available in Windows Autopatch. The maximum end-to-end latency is approximately 48 hours. + +## Windows quality and feature update statuses + +The following statuses are used throughout the Windows Autopatch reporting suite to describe the quality update status for devices: + +- [Up to Date devices](#up-to-date-devices) +- [Not up to Date devices](#not-up-to-date-devices) +- [Not Ready devices](#not-ready-devices) + +Each status has its own set of sub statuses to further describe the status. + +### Up to Date devices + +Up to date devices are devices that meet all of the following prerequisites: + +- [Prerequisites](../prepare/windows-autopatch-prerequisites.md) +- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration) +- [Windows quality and feature update device readiness](../deploy/windows-autopatch-post-reg-readiness-checks.md) +- [Post-device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) +- Have applied the current monthly cumulative updates + +> [!NOTE] +> [Up to Date devices](#up-to-date-devices) will remain with the **In Progress** status for the 21-day service level objective period until the device either applies the current monthly cumulative update or receives an [alert](../operate/windows-autopatch-device-alerts.md). If the device receives an alert, the device’s status will change to [Not up to Date](#not-up-to-date-devices). + +#### Up to Date sub statuses + +| Sub status | Description | +| ----- | ----- | +| In Progress | Devices are currently installing the latest [quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#release-schedule) or [feature update](../operate/windows-autopatch-groups-windows-feature-update-overview.md#default-release) deployed through the Windows Autopatch release schedule. | +| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release management pause. For more information, see pausing and resuming a [Windows quality update](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release) or [Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release). | + +### Not up to Date devices + +Not Up to Date means a device isn’t up to date when the: + +- Quality or feature update is out of date, or the device is on the previous update. +- Device is more than 21 days overdue from the last release. +- Device has an [alert](../operate/windows-autopatch-device-alerts.md) resulting in an error and action must be taken. + +### Not Ready devices + +Not Ready refers to the responsibility of the designated IT administrator to carry out the appropriate action to resolve the reported device sub status. + +Within each 24-hour reporting period, devices that are Not Ready are reevaluated using the [Autopatch post-device registration readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). + +## Data export + +Select **Export devices** to export data for each report type. Only selected columns will be exported. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md new file mode 100644 index 0000000000..cd1653f964 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-communications.md @@ -0,0 +1,69 @@ +--- +title: Windows quality update communications for Autopatch groups +description: This article explains Windows quality update communications for Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: hathind +--- + +# Windows quality update communications: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

              The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


              **To opt-in to use Windows Autopatch groups:**
              1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
              2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
              3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
              + + +There are three categories of communication that are sent out during a Windows quality and feature update: + +- [Standard communications](#standard-communications) +- [Communications during release](#communications-during-release) +- [Incident communications](#incident-communications) + +Communications are posted to, as appropriate for the type of communication, to the: + +- Message center +- Service health dashboard +- Windows Autopatch messages section of the Microsoft Intune admin center + +:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png"::: + +## Standard communications + +| Communication | Location | Timing | Description | +| ----- | ----- | ----- | ----- | +| Release schedule |
              • Messages blade
              • Email sent to your specified [admin contacts](../deploy/windows-autopatch-admin-contacts.md)
                  • | At least seven days prior to the second Tuesday of the month| Notification of the planned release window for each ring. | +| Release start | Same as release schedule | The second Tuesday of every month. | Notification that the update is now being released into your environment. | +| Release summary | Same as release schedule | The fourth Tuesday of every month. | Informs you of the percentage of eligible devices that were patched during the release. | + +### Opt out of receiving emails for standard communications + +> [!IMPORTANT] +> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback. + +If you don't want to receive standard communications for Windows Updates releases via email, you can choose to opt out. + +**To opt out of receiving emails for standard communications:** + +1. Go to the **[Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)**. +2. Go to **Windows Autopatch** > **Tenant administration** > select **Admin contacts**. +3. Select the admin contact you want to opt out for. +4. Select **Edit Contact**. +5. Clear the **Send me emails for Windows update releases and status** checkbox in the fly-in pane. +6. Select **Save** to apply the changes. + +## Communications during release + +The most common type of communication during a release is a customer advisory. Customer advisories are posted to both Message center and the Messages blade of the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) shortly after Autopatch becomes aware of the new information. + +There are some circumstances where Autopatch will need to change the release schedule based on new information. + +For example, new threat intelligence may require us to expedite a release, or we may pause due to user experience concerns. If the schedule of a quality update is changed, paused, resumed, or expedited, we'll inform you as quickly as possible so that you can adapt to the new information. + +## Incident communications + +Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md new file mode 100644 index 0000000000..25705531f4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md @@ -0,0 +1,69 @@ +--- +title: Windows quality update end user experience for Autopatch groups +description: This article explains the Windows quality update end user experience using the Autopatch groups exp +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Windows quality update end user experience: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +## User notifications + +In this section we'll review what an end user would see in the following three scenarios: + +1. Typical update experience +2. Quality update deadline forces an update +3. Quality update grace period + +> [!NOTE] +> The "It's almost time to restart" and "Your organization requires your device to restart" notifications won't disappear until the user interacts with the notification. + +### Typical update experience + +The Windows quality update is published and devices in the Broad ring have a deferral period of nine days. Devices will wait nine days before downloading the latest quality update. + +Once the deferral period has passed, the device will download the update and notify the end user that updates are ready to install. The end user can either: + +- Restart immediately to install the updates +- Schedule the installation, or +- Snooze the device will attempt to install outside of [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart). + +In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. + +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: + +### Quality update deadline forces an update + +In the following example, the user: + +- Ignores the notification and selects snooze. +- Further notifications are received, which the user ignores. +- The device is unable to install the updates outside of active hours. + +The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. + +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: + +### Quality update grace period + +In the following example, the user is on holiday and the device is offline beyond the quality update deadline. The user then returns to work and the device is turned back on. + +Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. + +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: + +## Minimize user disruption due to updates + +Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. By default, [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart) are configured dynamically based on device usage patterns. Device restarts occur outside of active hours until the deadline is reached. + +Windows Autopatch understands the importance of not disrupting critical devices but also updating the devices quickly. If you wish to configure a specific installation time or [Active hours](/windows/client-management/mdm/policy-csp-update#activehoursstart), use the [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md), and select the [**ScheduledInstall**](../operate/windows-autopatch-groups-windows-update.md#scheduled-install) option. Using this option removes the deadline enforced for a device restart. Devices with this configuration will also **not** be counted towards the [service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md new file mode 100644 index 0000000000..559e317784 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md @@ -0,0 +1,133 @@ +--- +title: Windows quality updates overview with Autopatch groups experience +description: This article explains how Windows quality updates are managed with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows quality updates: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +Windows Autopatch deploys the [Monthly security update releases](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. + +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: + +| Policy | Description | +| ----- | ----- | +| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | Deferral policies delay the time the update is offered to the device by a specific number of days. The "offer" date for Windows quality updates is equal to the number of days specified in the deferral policy after the second Tuesday of each month. | +| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. | +| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. | + +For devices in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch configures these policies differently across deployment rings to gradually release the update. Devices in the Test ring receive changes first and devices in the Last ring receive changes last. For more information about the Test and Last deployment rings, see [About the Test and Last deployment rings in Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-the-test-and-last-deployment-rings). With Windows Autopatch groups you can also customize the [Default Deployment Group’s deployment ring composition](../deploy/windows-autopatch-groups-overview.md#default-deployment-ring-composition) to add and/or remove deployment rings and can customize the update deployment cadences for each deployment ring. To learn more about customizing Windows Quality updates deployment cadence, see [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md). + +> [!IMPORTANT] +> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). + +## Service level objective + +Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. Note that devices that have cadence type set to Schedule install won't be eligible for Windows quality update SLO. For more information about the Schedule Install cadence type, see [Deployment cadence types](../operate/windows-autopatch-groups-windows-update.md#deployment-cadence). + +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. + +## Release management + +> [!NOTE] +> To access the Release management blade, you must have the correct [role-based access control](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration). + +In the Release management blade, you can: + +- Track the [Windows quality update schedule](#release-schedule). +- [Turn off expedited Windows quality updates](#turn-off-service-driven-expedited-quality-update-releases). +- Review release announcements and knowledge based articles for regular and [Out of Band (OOB) Windows quality updates](#out-of-band-releases). + +### Release schedule + +For each [deployment ring](windows-autopatch-update-management.md#windows-autopatch-deployment-rings), the **Release schedule** tab contains: + +- The status of the update. Releases will appear as **Active**. The update schedule is based on the values of the [Windows 10 Update Ring policies](/mem/intune/protect/windows-update-for-business-configure), which have been configured on your behalf. +- The date the update is available. +- The target completion date of the update. +- In the **Release schedule** tab, you can either [**Pause** and/or **Resume**](#pause-and-resume-a-release) a Windows quality update release. + +### Expedited releases + +Threat and vulnerability information about a new revision of Windows becomes available on the second Tuesday of each month. Windows Autopatch assesses that information shortly afterwards. If the service determines that it's critical to security, it may be expedited. The quality update is also evaluated on an ongoing basis throughout the release and Windows Autopatch may choose to expedite at any time during the release. + +When running an expedited release, the regular goal of 95% of devices in 21 days no longer applies. Instead, Windows Autopatch greatly accelerates the release schedule of the release to update the environment more quickly. This approach requires an updated schedule for all devices outside of the Test ring since those devices are already getting the update quickly. + +| Release type | Group | Deferral | Deadline | Grace period | +| ----- | ----- | ----- | ----- | ----- | +| Expedited release | All devices | 0 | 1 | 1 | + +#### Turn off service-driven expedited quality update releases + +Windows Autopatch provides the option to turn off of service-driven expedited quality updates. + +By default, the service expedites quality updates as needed. For those organizations seeking greater control, you can disable expedited quality updates for Windows Autopatch-enrolled devices using Microsoft Intune. + +**To turn off service-driven expedited quality updates:** + +1. Go to **[Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. +2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. + +> [!NOTE] +> Windows Autopatch doesn't allow customers to request expedited releases. + +### Out of Band releases + +Windows Autopatch schedules and deploys required Out of Band (OOB) updates released outside of the normal schedule. + +For the deployment rings that have passed quality updates deferral date, the OOB release schedule will be expedited and deployed on the same day. For the deployment rings that have deferral upcoming, OOBs will be released as per the set deferral dates. + +**To view deployed Out of Band quality updates:** + +1. Go to [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**. +2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab. + +> [!NOTE] +> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused. + +### Pause and resume a release + +> [!CAUTION] +> You should only pause and resume [Windows quality](#pause-and-resume-a-release) and [Windows feature updates](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md#pause-and-resume-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. + +The service-level pause is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. + +If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-groups-windows-quality-update-signals.md), we may decide to pause that release. + +> [!IMPORTANT] +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

                  For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                  + +**To pause or resume a Windows quality update:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Devices** from the left navigation menu. +1. Under the **Windows Autopatch** section, select **Release management**. +1. In the **Release management** blade, got to the **Release schedule** tab and select **Windows quality updates**. +1. Select the Autopatch group that you want to pause or resume. Select either: **Pause** or **Resume**. Alternatively, you can select the **horizontal ellipses (...)** of the Autopatch group you want to pause or resume. Select, **Pause** or **Resume** from the dropdown menu. +1. Select a reason from the dropdown menu. +1. Optional. Enter details about why you're pausing or resuming the selected update. +1. If you're resuming an update, you can select one or more deployment rings. +1. Select **Okay**. + +The three following statuses are associated with paused quality updates: + +| Status | Description | +| ----- | ------ | +| Paused by Service | If the Windows Autopatch service has paused an update, the release will have the **Paused by Service** status. The Paused by Service only applies to rings that aren't Paused by the Tenant. | +| Paused by Tenant | If you've paused an update, the release will have the **Paused by Tenant** status. The Windows Autopatch service can't overwrite a tenant pause. You must select **Resume** to resume the update. | + +## Remediating Not ready and/or Not up to Date devices + +To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can [remediate Windows Autopatch device alerts](../operate/windows-autopatch-device-alerts.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md new file mode 100644 index 0000000000..556a292eb3 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-signals.md @@ -0,0 +1,62 @@ +--- +title: Windows quality update release signals with Autopatch groups +description: This article explains the Windows quality update release signals with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: conceptual +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: hathind +--- + +# Windows quality update signals: Windows Autopatch groups experience (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +Windows Autopatch monitors a specific set of signals and aims to release the monthly security update both quickly and safely. The service doesn't comprehensively monitor every use case in Windows. + +If there's a scenario that is critical to your business, which isn't monitored by Windows Autopatch, you're responsible for testing and taking any follow-up actions, like requesting to pause the release. + +## Pre-release signals + +Before being released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), Windows Autopatch reviews several data sources to determine if we need to send any customer advisories or need to pause the update. Situations where Windows Autopatch doesn't release an update to the Test ring are seldom occurrences. + +| Pre-release signal | Description | +| ----- | ----- | +| Windows Payload Review | The contents of the monthly security update release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-groups-windows-quality-update-communications.md#communications-during-release) will be sent out. | +| Optional non-security preview release review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous optional non-security preview release to understand potential risks in the monthly security update release. | +| Optional non-security preview release review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the monthly security update release. | + +## Early signals + +The update is released to the Test ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) on the second Tuesday of the month. Those test devices will update, allowing you to conduct early testing of critical scenarios in your environment. There are also several Microsoft internal signals that are monitored throughout the release. + +| Device reliability signal | Description | Microsoft will | +| ----- | ----- | ----- | +| Security Risk Profile | As soon as the update is released, the criticality of the security content is assessed. |
                  • Consider expediting the release
                  • Update customers with a risk profile
                  +| B-Release - Internal Signals | Windows Autopatch reviews any active incidents associated with the current release. |
                  • Determine if a customer advisory is necessary
                  • Pause the release if there's significant user impact
                  | +| B-Release - Social Signals | Windows Autopatch monitors social signals to understand risks associated with the release. | Determine if a customer advisory is necessary | + +## Device reliability signals + +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. + +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. + +As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. + +Autopatch monitors the following reliability signals: + +| Device reliability signal | Description | +| ----- | ----- | +| Blue screens | These events are highly disruptive to end users. These events are closely monitored. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | +| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | +| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | + +When the update is released to the First ring in the [Default Autopatch group](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group), the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to expedite the release schedule or pause for all customers. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md new file mode 100644 index 0000000000..4cd9aa18af --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-status-report.md @@ -0,0 +1,79 @@ +--- +title: Quality update status report +description: Provides a per device view of the current update status for all Windows Autopatch enrolled devices with Autopatch groups. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Quality update status report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +The Quality update status report provides a per device view of the current update status for all Windows Autopatch enrolled devices. + +**To view the Quality update status report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. +1. Select the **Reports** tab. +1. Select **Quality update status**. + +> [!NOTE] +> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). + +## Report information + +### Default columns + +The following information is available as default columns in the Quality update status report: + +| Column name | Description | +| ----- | ----- | +| Device name | The name of the device. | +| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. | +| Update status | The current update status for the device. For more information, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). | +| Pause status | The current pause status whether Customer or Service initiated. For more information, see [Pause and resume a release](../operate/windows-autopatch-groups-windows-quality-update-overview.md#pause-and-resume-a-release). | +| Current version | The current version or build number of the device. For more information, see [Windows Versions](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). | +| Readiness | The device readiness evaluation status. For more information, see [Post registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md). | +| Alerts | The summary of any alerts affecting the device. For more information, see [Device alerts](../operate/windows-autopatch-device-alerts.md). | + +### Optional columns + +The following information is available as optional columns in the Quality update status report: + +| Column name | Description | +| ----- | ----- | +| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device | +| Serial number | The current Intune recorded serial number for the device | +| Intune last check in time | The last time the device checked in to Intune | +| Service State | The Service State provided from Windows Update | +| Service Substate | The Service Substate provided from Windows Update | +| Client State | The Client State provided from Windows Update | +| Client Substate | The Client Substate provided from Windows Update | +| Servicing Channel | The Servicing Channel provided from Windows Update | +| User Last Logged On | The last user who logged on as reported from Intune | +| Primary User UPN | The Primary User UPN as reported from Intune | +| Hex Error Code | The hex error provided from Windows Update | + +> [!NOTE] +> The Service State, Service Substate, Client State, Client Substate, Servicing Channel, and Hex Error Code columns may not display any values. These columns are supplemental and might not display for all devices + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Search | Use to search by device name, Azure AD device ID or serial number | +| Sort | Select the **column headings** to sort the report data in ascending and descending order. | +| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. | +| Filter | Select either the **Add filters** or at the top of the report to filter the results. | +| Columns | Select a column to add or remove the column from the report. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md new file mode 100644 index 0000000000..31ca5e6fac --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md @@ -0,0 +1,51 @@ +--- +title: Windows quality update summary dashboard +description: Provides a summary view of the current update status for all devices enrolled into Windows Autopatch with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Windows quality update summary dashboard (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +The summary dashboard provides a summary view of the current update status for all devices enrolled into Windows Autopatch. + +**To view the current update status for all your enrolled devices:** + +1. Sign into the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows quality updates**. + +> [!NOTE] +> The data in this report is refreshed every 24 hours with data received by your Windows Autopatch managed devices. The last refreshed on date/time can be seen at the top of the page. For more information about how often Windows Autopatch receives data from your managed devices, see [Data latency](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#about-data-latency). + +## Report information + +The following information is available in the summary dashboard: + +| Column name | Description | +| ----- | ----- | +| Autopatch group | The Autopatch group and deployment ring. For more information, see [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md). | +| Device count | Total device count per Autopatch group or deployment ring. | +| Up to date | Total device count reporting a status of Up to date. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not up to Date | Total device count reporting a status of Not Up to date. For more information, see [Not Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | +| In progress | Total device counts reporting the In progress status. For more information, see [In progress](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-sub-statuses). | +| Paused | Total device count reporting the status of the pause whether it’s Service or Customer initiated. For more information, see [Up to Date](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#up-to-date-devices). | +| Not ready | Total device count reporting the Not ready status. For more information, see [Not ready](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#not-up-to-date-devices). | + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Refresh | The option to **Refresh** the summary dashboard is available at the top of the page. This process will ensure that the summary dashboard view is updated to the latest available dataset from within the last 24-hour period. | +| Summary links | Each column represents the summary of included devices. Select the hyperlinked number to produce a filtered report in a new browser tab. | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md new file mode 100644 index 0000000000..935bb616af --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-trending-report.md @@ -0,0 +1,42 @@ +--- +title: Quality update trending report +description: Provides a visual representation of the update status trend for all devices over the last 90 days with Autopatch groups. +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: adnich +--- + +# Quality update trending report (public preview) + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +The Quality update trending report provides a visual representation of the update status trend for all devices over the last 90 days. + +**To view the Quality update trending report:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Reports** > **Windows Autopatch** > **Windows Quality Updates**. +1. Select the **Reports** tab. +1. Select **Quality update trending**. + +> [!NOTE] +> This report provides a time stamp of when the report trend was last generated and can be seen at the top of the page. + +## Report options + +The following options are available: + +| Option | Description | +| ----- | ----- | +| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. | +| By percentage | Select **by percentage** to show your trending graphs and indicators by percentage. | +| By device count | Select **by device count** to show your trending graphs and indicators by numeric value. | + +For a description of the displayed device status trends, see [Windows quality update statuses](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md#windows-quality-and-feature-update-statuses). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md new file mode 100644 index 0000000000..7d03bd8c1e --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-update.md @@ -0,0 +1,125 @@ +--- +title: Customize Windows Update settings Autopatch groups experience +description: How to customize Windows Updates with Autopatch groups +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: rekhanr +--- + +# Customize Windows Update settings: Autopatch groups experience (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. The feature is being actively developed, and may not be complete. You can test and use these features in production environments and provide feedback. + +> [!IMPORTANT] +> Windows Autopatch groups is in **public preview**. This feature is being actively developed and might not be complete. You can test and use these features in production environments and provide feedback.

                  The Windows Autopatch group experience only applies if you’ve opted-in to use Windows Autopatch groups.


                  **To opt-in to use Windows Autopatch groups:**
                  1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) and select **Devices** from the left navigation menu.
                  2. Under **Windows Autopatch**, select **Release Management**, then select **Autopatch groups (preview)**.
                  3. Review the **[Microsoft Privacy Statement](../overview/windows-autopatch-privacy.md)** and the **[Autopatch groups Public Preview Addendum](../references/windows-autopatch-groups-public-preview-addendum.md)**. If you agree, select the **I have reviewed and agree to the Autopatch groups Public Preview Addendum** checkbox. Then, select **Use preview** to test out Windows Autopatch groups and its bundled feature set. If the **Use preview** option is greyed out, ensure you meet all the [Autopatch group prerequisites](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#autopatch-groups-prerequisites).
                  + +You can customize the Windows Update deployment schedule for each deployment ring in Windows Autopatch groups per your business and organizational needs. This capability is allowed for both [Default](../deploy/windows-autopatch-groups-overview.md#about-the-default-autopatch-group) and [Custom Autopatch groups](../deploy/windows-autopatch-groups-overview.md#about-custom-autopatch-groups). However, we recommend that you remain within service defined boundaries to maintain compliance. + +When the deployment cadence is customized, Windows Autopatch will override our service defaults with your preferred deployment cadence. Depending on the selected options, devices with [customized schedules](#scheduled-install) may not count towards the Windows Autopatch [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). + +## Deployment cadence + +### Cadence types + +For each tenant, at the deployment ring level, there are two cadence types to configure and manage your Windows Update deployments for all the devices in those deployment rings: + +- [Deadline-driven](#deadline-driven) +- [Scheduled install](#scheduled-install) + +> [!NOTE] +> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). + +#### Deadline-driven + +With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. + +There are certain limits that Windows Autopatch defines and you'll only be able to make changes with those boundaries. The following boundaries are implemented so that Windows Autopatch can maintain update compliance. + +| Boundary | Description | +| ----- | ----- | +| Deferrals and deadlines | Windows Autopatch will enforce that deadline plus deferral days for a deployment ring to be less than or equal to 14 days. | +| Grace period | The permitted customization range is zero to seven days. | + +> [!NOTE] +> The configured grace period will apply to both Windows quality updates and Windows feature updates. + +Each deployment ring can be scheduled independent of the others, and there are no dependencies that the previous deployment ring must be scheduled before the next ring. Further, if the cadence type is set as **Deadline-driven**, the automatic update behavior setting, **Reset to default** in the Windows Update for Business policy, will be applied. + +It's possible for you to change the cadence from the Windows Autopatch Release management blade while update deployments are in progress. Windows Autopatch will abide by the principle to always respect your preferences over service-defined values. + +However, if an update has already started for a particular deployment ring, Windows Autopatch won't be able to change the cadence for that ring during that ongoing update cycle. The changes will only be effective in the next update cycle. + +#### Scheduled install + +> [!NOTE] +>If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-groups-windows-quality-update-overview.md#service-level-objective). + +While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified. + +If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option. + +> [!NOTE] +> The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type. + +Devices **must** be active and available at the time when the device is scheduled for installation to ensure the optimal experience. If the device is consistently unavailable during the scheduled install time, the device can remain unprotected and unsecured, or the device may have the Windows Update scan and install during active hours. + +##### Scheduled install types + +> [!NOTE] +> For devices with **Active hours** configured, if the device is consistently unavailable, Windows will attempt to keep the devices up to date, including installation of updates during Active hours.

                  For Windows 10 devices, Windows Update can start 30 minutes prior to the specified install time. If the installation start time is specified at 2:00 AM, some of the devices may start the installation 30 mins prior.

                  + +The Scheduled install cadence has two options: + +| Option | Description | +| ----- | ----- | +| Active hours | The period (daily) that the user normally does their work, or the device is busy performing business critical actions.

                  The time outside of active hours is when the device is available for Windows to perform an update and restart the device (daily). The max range for Active hours is 18 hours. The six-hour period outside of the active hours is the deployment period, when Windows Update for Business will scan, install and restart the device.

                  +| Schedule install and restart | Use this option to prevent the service from installing Windows Updates except during the specified start time. You can specify the following occurrence options:
                  • Weekly
                  • Bi-weekly
                  • Monthly

                  Select a time when the device has low activity for the updates to complete. Ensure that the Windows Update has three to four hours to complete the installation and restart the device.

                  | + +> [!NOTE] +> Changes made in one deployment ring won't impact other rings in your tenant.

                  Configured **Active hours** and **Scheduled install and restart** options will apply to both Windows quality updates and Windows feature updates.

                  + +### User notifications + +In addition to the cadence type, you can also manage the end user notification settings. End users will receive all update notifications by default. For critical devices or devices where notifications need to be hidden, use the **Manage notifications** option to configure notifications. For each tenant, at the deployment ring level, there are four options for you to configure end user update notification settings: + +- Not configured +- Use the default Windows Update notifications +- Turn off all notifications excluding restart warnings +- Turn off all notifications including restart warnings + +For more information, see [Windows Update settings you can manage with Intune update ring policies for Windows 10/11 devices](/mem/intune/protect/windows-update-settings). + +## Customize the Windows Update deployment cadence + +> [!IMPORTANT] +> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.

                  For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                  + +**To customize the Windows Update deployment cadence:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +2. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings** select **Autopatch groups**. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. +3. Select the **horizontal ellipses (…)** across each ring to manage the deployment cadence or notification settings. +4. Select **Next** to navigate to the Windows update settings page. The page lists the existing settings for each of the deployment rings in the Autopatch group. +5. Select [**Manage deployment cadence**](#cadence-types) to customize Windows Update settings. + 1. Select one of the cadence types for the ring: + 1. Select **Deadline-driven** to configure the deferral, deadline, and grace periods. This option will enforce forced restarts based on the selected deadline and grace period. In the event you want to switch back to the service recommended defaults, for each of the settings, select the option tagged as "default". + 1. Select **Scheduled install** to opt-out of deadline-based forced restart. + 1. Select either **Active hours** or **Schedule install and restart time**. + 2. Select **Save**. +6. Select **Manage notifications**. A fly-in pane opens. + 1. Select one of following [Windows Update restart notifications](#user-notifications) for your devices that are part of the selected deployment ring. By default, Windows Autopatch recommends that you enable all notifications. + 1. Not configured + 1. Use the default Windows Update notifications + 1. Turn off all notifications excluding restart warnings + 1. Turn off all notifications included restart warnings + 1. Select **Save** once you select the preferred setting. +7. Repeat the same process to customize each of the rings. Once done, select **Next**. +8. In **Review + apply**, you’ll be able to review the selected settings for each of the rings. +9. Select **Apply** to apply the changes to the ring policy. Once the settings are applied, the saved changes can be verified in the **Release schedule** tab. The Windows quality update schedule on the **Release schedule** tab will be updated as per the customized settings. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md new file mode 100644 index 0000000000..8e4b4794f4 --- /dev/null +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-policy-health-and-remediation.md @@ -0,0 +1,106 @@ +--- +title: policy health and remediation +description: Describes what Autopatch does it detects policies in the tenant are either missing or modified to states that affect the service +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: rekhanr +--- + +# Policy health and remediation (public preview) + +> [!IMPORTANT] +> This feature is in **public preview**. This feature is being actively developed and may not be complete. You can test and use these features in production environments and provide feedback. + +Windows Autopatch uses Microsoft Intune policies to set configurations and deliver the service. Windows Autopatch continuously monitors the policies and maintains all configurations related to the operation of the service. + +> [!IMPORTANT] +> Don't change, edit, add to, or remove any of the Windows Autopatch policies or groups. Doing so can cause unintended configuration changes and impact the Windows Autopatch service. For more information about Windows Autopatch configurations, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + +When Windows Autopatch detects policies in the tenant are either missing or modified that affects the service, Windows Autopatch will raise alerts and detailed recommended actions to ensure healthy operation of the service. + +IT admins must respond to the service-generated alerts to ensure that Autopatch services can be delivered, and devices remain eligible for the service. + +With this feature, IT admins can: + +- View alerts, in line with the features you commonly use: + - Windows Update related alerts in the Release management blade. + - Device configuration alerts in the **Tenant management** > **Alert actions** tab. +- Initiate action for the Autopatch service to restore policies without having to raise an incident. +- Initiate action for the Autopatch service to restore the deployment rings without having to raise an incident. + +> [!NOTE] +> You can rename your policies to meet your organization’s requirements. Do **not** rename the underlying Autopatch deployment groups. + +## Check policy health + +Alerts are raised when deployment rings don't have the required policies and the settings that impact devices within the ring. The remediation actions from the displayed alerts are intended to keep the deployment rings in a healthy state. Devices in each ring may continue to report different states, including errors and conflicts. This occurs due to multiple policies targeted at the same device or other conditions on the device. Policy conflicts and other device errors aren't addressed by these alerts. + +## Built-in roles required for remediation actions + +The minimum role required to restore configurations is **Intune Service Administrator**. You can also perform these actions in the Global administrator role. + +## Restore device configuration policy + +**To initiate remediation action for device configuration alerts:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant administration** > **Tenant management** > **Actions**. +1. Select **Restore missing policy** to launch the workflow. +1. Review the message and select **Restore policy**. +1. If the **Change modified policy alert** appears, select this alert to launch the workflow. +1. Select **Submit changes** to restore to service required values. + +There will be an alert for each policy that is missing or has deviated from the service defined values. + +## Restore Windows update policies + +**To initiate remediation actions for Windows quality update policies:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows quality updates** > **Status**. +1. Select **Policy Error** to launch the Policy error workflow. +1. Review the message: + 1. If this is a missing policy error, select **Restore policy** to complete the workflow. + 2. If this is a modified policy, select **Submit changes** to restore to service required values. + +**To initiate remediation actions for Windows feature update policies:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release schedule** > **Windows feature updates** > **Status**. +1. Select **Policy Error** to launch the Policy error workflow. +1. Review the message. + 1. If this is a missing policy error, select **Restore policy** to complete the workflow. + 2. If this is a modified policy, select **Submit changes** to restore to service required values. + +## Restore deployment groups + +**To initiate remediation action for missing groups:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Navigate to **Tenant administration** > **Tenant management** > **Actions**. +1. Select **Restore missing group** to launch the workflow. +1. Review the message and select **Restore group**. + +When a missing deployment group is restored, the policies will be reassigned back to the deployment groups. In the Release management blade, the service will raise a Policy Error that you'll need to complete to repair Windows Update policies. Due to the asynchronous run of service detectors, it may take up to four (4) hours for this error to be displayed. + +> [!NOTE] +> While Windows Autopatch continuously monitors the policies, all policy alerts are raised within four (4) hours of detection.

                  Alerts will remain active until an IT admin completes the action to restore them to a healthy state.

                  + +There are no Autopatch reports for policy alerts and actions at this time. + +## Use audit logs to track actions in Microsoft Intune + +You can review audit logs in Intune to review the activities completed on the tenant. + +**To review audit logs in Intune:** + +1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). +1. Select **Tenant administration** > **Audit logs**. + +The entries with enterprise application name, Modern Workplace Management, are the actions requested by Windows Autopatch. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index c4a87a93ba..29e95ec21f 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -39,9 +39,6 @@ If you have a **Premier** or **Unified** support contract, when you submit a new Depending on your support contract, the following severity options are available: -> [!NOTE] -> Selecting either severity **A** or **Critical** issue limits you to a phone support case. This is the fastest support option. - | Support contract | Severity options | | ----- | ----- | | Premier | Severity A, B or C | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index ce6d60f33d..95b3391bd5 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 02/17/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -82,10 +82,10 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym ### Pausing and resuming a release > [!CAUTION] -> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). +> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). > [!IMPORTANT] -> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

                  For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                  +> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

                  For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                  **To pause or resume a Windows feature update:** @@ -109,7 +109,7 @@ If you've paused an update, the specified release will have the **Customer Pause Windows Autopatch doesn’t support the rollback of Windows feature updates. > [!CAUTION] -> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). +> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). ## Contact support diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index ac728972ce..f12b686427 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 02/17/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -33,8 +33,8 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut | Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). | | Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) | -> [!NOTE] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). +> [!IMPORTANT] +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Windows quality update releases @@ -86,6 +86,9 @@ When running an expedited release, the regular goal of 95% of devices in 21 days | Standard release | Test

                  First

                  Fast

                  Broad | 0

                  1

                  6

                  9 | 0

                  2

                  2

                  5 | 0

                  2

                  2

                  2 | | Expedited release | All devices | 0 | 1 | 1 | +> [!IMPORTANT] +> Expedited updates **don't** work with devices under the [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/). For more information, see [expedite Windows quality updates in Microsoft Intune](/mem/intune/protect/windows-10-expedite-updates). + #### Turn off service-driven expedited quality update releases Windows Autopatch provides the option to turn off of service-driven expedited quality updates. @@ -115,7 +118,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea ### Pausing and resuming a release > [!CAUTION] -> It's recommended to only use Windows Autopatch's Release management blade to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). +> You should only pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release) on Windows Autopatch managed devices using the Windows Autopatch Release management blade. Do **not** use the Microsoft Intune end-user experience flows to pause or resume Windows Autopatch managed devices. If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md index 508c99fa46..50453deea1 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-update.md @@ -1,7 +1,7 @@ --- title: Customize Windows Update settings description: This article explains how to customize Windows Updates in Windows Autopatch -ms.date: 03/08/2023 +ms.date: 05/02/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -30,6 +30,9 @@ For each tenant, at the deployment ring level, there are two cadence types to co - [Deadline-driven](#deadline-driven) - [Scheduled install](#scheduled-install) +> [!NOTE] +> Windows Autopatch uses the [Update rings policy for Windows 10 and later in Microsoft Intune](/mem/intune/protect/windows-10-update-rings) to apply either **Deadline-driven** or **Scheduled install** cadence types. Microsoft Intune implements [Update rings policy for Windows 10 and later](/mem/intune/protect/windows-10-update-rings) using the settings available in the [Update policy CSP](/windows/client-management/mdm/policy-csp-update). + #### Deadline-driven With the deadline-drive cadence type, you can control and customize the deferral, deadline, and grace period to meet your specific business needs and organizational requirements. @@ -53,9 +56,11 @@ However, if an update has already started for a particular deployment ring, Wind #### Scheduled install > [!NOTE] -> If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective). +>If you select the Schedule install cadence type, the devices in that ring won’t be counted towards the [Windows quality update service level objective](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective). -While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will prevent forced restarts and interruptions to critical business activities for end users, thereby minimizing disruptions. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. The expectation is that devices would only update and restart according to the time specified. +While the Windows Autopatch default options will meet the majority of the needs for regular users with corporate devices, we understand there are devices that run critical activities and can only receive Windows Updates at specific times. The **Scheduled install** cadence type will minimize disruptions by preventing forced restarts and interruptions to critical business activities for end users. Upon selecting the **Scheduled install** cadence type, any previously set deadlines and grace periods will be removed. Devices will only update and restart according to the time specified. + +If other applications force a device to restart outside of the specified time and a Windows Update is pending a restart, the Windows Update will complete its installation at this time. For this reason, ensure that you consider your update and restart scenarios for devices running business critical activities, or restart sensitive workloads before using the Scheduled Install option. > [!NOTE] > The compliance deadline and grace period for Windows quality updates won't be configured for the Scheduled Install cadence type. @@ -90,6 +95,9 @@ For more information, see [Windows Update settings you can manage with Intune up ## Customize the Windows Update deployment cadence +> [!IMPORTANT] +> The Windows update setting customizations can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its device management solution and that's the average frequency Windows devices take to communicate back to Microsoft Intune with new instructions to apply new software update settings.

                  For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

                  + **To customize the Windows Update deployment cadence:** 1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 5cbf2a8380..7eaead607a 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: windows-client ms.topic: faq - ms.date: 02/28/2023 + ms.date: 05/04/2023 audience: itpro ms.localizationpriority: medium manager: dougeby @@ -77,6 +77,9 @@ sections: - question: Can you change the policies and configurations created by Windows Autopatch? answer: | No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). + - question: How can I represent our organizational structure with our own deployment cadence? + answer: | + [Windows Autopatch groups](../deploy/windows-autopatch-groups-overview.md) helps you manage updates in a way that makes sense for your businesses. For more information, see [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) and [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md). - name: Update management questions: - question: What systems does Windows Autopatch update? @@ -96,7 +99,7 @@ sections: - Rollback: For more information about Microsoft 365 Apps for enterprise, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls). - question: Can I permanently pause a Windows feature update deployment? answer: | - Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release). + Yes. Windows Autopatch provides a [permanent pause of a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release). - question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates? answer: | For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring. diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md index d185fe21d6..3525a20488 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md @@ -45,8 +45,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili | [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: | | [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: | | [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: | -| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: | -| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | +| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices-using-the-classic-method) | :heavy_check_mark: | :x: | +| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: | | [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: | | [Manually override device assignments to First, Fast & Broad deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings) | :heavy_check_mark: | :x: | | [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: | diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 7e202554d2..4ca771cece 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -52,7 +52,6 @@ The following are the Microsoft Intune settings: | Check | Description | | ----- | ----- | | Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). | -| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). | ### Azure Active Directory settings diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index a180a874ec..413d997112 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -37,14 +37,6 @@ For each check, the tool will report one of four possible results: You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -### Unlicensed admins - -This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. - -| Result | Meaning | -| ----- | ----- | -| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

                  For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | - ### Update rings for Windows 10 or later Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index c2f86d2ca3..1808dd285c 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 02/17/2023 +ms.date: 04/24/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -44,23 +44,26 @@ Windows Autopatch is included with Windows 10/11 Enterprise E3 or higher (user-b | [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 | | [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 | -The following Windows OS 10 editions, 1809+ builds and architecture are supported in Windows Autopatch: +The following Windows 10 editions, build version and architecture are supported to be [registered](../deploy/windows-autopatch-register-devices.md) with Windows Autopatch: - Windows 10 (1809+)/11 Pro - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations +> [!IMPORTANT] +> While Windows Autopatch supports registering devices below the [minimum Windows OS version enforced by the service](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version), once registered, devices are automatically offered with the [minimum windows OS version](../operate/windows-autopatch-windows-feature-update-overview.md#enforcing-a-minimum-windows-os-version). The devices must be on a [minimum Windows OS currently serviced](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2) to keep receiving monthly security updates that are critical to security and the health Windows. + > [!NOTE] -> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Additionally, Windows Autopatch can only manage Windows quality updates for devices that haven't reached the LTSC's [end of servicing date](/windows/release-health/release-information#enterprise-and-iot-enterprise-ltsbltsc-editions). +> Windows Autopatch supports registering [Windows 10 Long-Term Servicing Channel (LTSC)](/windows/whats-new/ltsc/) devices that are being currently serviced by the [Windows LTSC](/windows/release-health/release-information). The service only supports managing the [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) workload for devices currently serviced by the LTSC. Windows Update for Business service and Windows Autopatch don't offer Windows feature updates for devices that are part of the LTSC. You must either use [LTSC media](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) or the [Configuration Manager Operating System Deployment capabilities to perform an in-place upgrade](/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager) for Windows devices that are part of the LTSC. ## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled: - - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. +- Configuration Manager must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled and set to either **Pilot Intune** or **Intune**: + - [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) + - [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) + - [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths). diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index b330342957..a1fd2c87e2 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -45,7 +45,8 @@ The following groups target Windows Autopatch configurations to devices and mana | ----- | ----- | | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | -| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-All | All Autopatch devices | +| Modern Workplace Devices-Virtual Machine | All Autopatch virtual devices | | Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | | Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | | Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | @@ -73,10 +74,10 @@ The following groups target Windows Autopatch configurations to devices and mana | Policy name | Policy description | OMA | Value | | ----- | ----- | ----- | ----- | -| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  |
                  • QualityUpdatesDeferralPeriodInDays
                  • FeatureUpdatesDeferralPeriodInDays
                  • FeatureUpdatesRollbackWindowInDays
                  • BusinessReadyUpdatesOnly
                  • AutomaticUpdateMode
                  • InstallTime
                  • DeadlineForFeatureUpdatesInDays
                  • DeadlineForQualityUpdatesInDays
                  • DeadlineGracePeriodInDays
                  • PostponeRebootUntilAfterDeadline
                  • DriversExcluded
                  |
                  • 0
                  • 0
                  • 30
                  • All
                  • WindowsDefault
                  • 3
                  • 5
                  • 0
                  • 0
                  • False
                  • False
                    • | -| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-First
                    |
                    • QualityUpdatesDeferralPeriodInDays
                    • FeatureUpdatesDeferralPeriodInDays
                    • FeatureUpdatesRollbackWindowInDays
                    • BusinessReadyUpdatesOnly
                    • AutomaticUpdateMode
                    • InstallTime
                    • DeadlineForFeatureUpdatesInDays
                    • DeadlineForQualityUpdatesInDays
                    • DeadlineGracePeriodInDays
                    • PostponeRebootUntilAfterDeadline
                    • DriversExcluded
                    |
                    • 1
                    • 0
                    • 30
                    • All
                    • WindowsDefault
                    • 3
                    • 5
                    • 2
                    • 2
                    • False
                    • False
                      • | -| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

                      Assigned to:

                      • Modern Workplace Devices-Windows Autopatch-Fast
                      |
                      • QualityUpdatesDeferralPeriodInDays
                      • FeatureUpdatesDeferralPeriodInDays
                      • FeatureUpdatesRollbackWindowInDays
                      • BusinessReadyUpdatesOnly
                      • AutomaticUpdateMode
                      • InstallTime
                      • DeadlineForFeatureUpdatesInDays
                      • DeadlineForQualityUpdatesInDays
                      • DeadlineGracePeriodInDays
                      • PostponeRebootUntilAfterDeadline
                      • DriversExcluded
                      |
                      • 6
                      • 0
                      • 30
                      • All
                      • WindowsDefault
                      • 3
                      • 5
                      • 2
                      • 2
                      • False
                      • False
                        • | -| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Broad
                        |
                        • QualityUpdatesDeferralPeriodInDays
                        • FeatureUpdatesDeferralPeriodInDays
                        • FeatureUpdatesRollbackWindowInDays
                        • BusinessReadyUpdatesOnly
                        • AutomaticUpdateMode
                        • InstallTime
                        • DeadlineForFeatureUpdatesInDays
                        • DeadlineForQualityUpdatesInDays
                        • DeadlineGracePeriodInDays
                        • PostponeRebootUntilAfterDeadline
                        • DriversExcluded
                        |
                        • 9
                        • 0
                        • 30
                        • All
                        • WindowsDefault
                        • 3
                        • 5
                        • 5
                        • 2
                        • False
                        • False
                          • | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Test
                          |
                          • MicrosoftProductUpdates
                          • EnablePrereleasebuilds
                          • UpgradetoLatestWin11
                          • QualityUpdatesDeferralPeriodInDays
                          • FeatureUpdatesDeferralPeriodInDays
                          • FeatureUpdatesRollbackWindowInDays
                          • BusinessReadyUpdatesOnly
                          • AutomaticUpdateMode
                          • InstallTime
                          • DeadlineForFeatureUpdatesInDays
                          • DeadlineForQualityUpdatesInDays
                          • DeadlineGracePeriodInDays
                          • PostponeRebootUntilAfterDeadline
                          • DriversExcluded
                          • RestartChecks
                          • SetDisablePauseUXAccess
                          • SetUXtoCheckforUpdates
                          |
                          • Allow
                          • Not Configured
                          • No
                          • 0
                          • 0
                          • 30
                          • All
                          • WindowsDefault
                          • 3
                          • 5
                          • 0
                          • 0
                          • False
                          • False
                          • Allow
                          • Disable
                          • Enable
                            • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-First
                            |
                            • MicrosoftProductUpdates
                            • EnablePrereleasebuilds
                            • UpgradetoLatestWin11
                            • QualityUpdatesDeferralPeriodInDays
                            • FeatureUpdatesDeferralPeriodInDays
                            • FeatureUpdatesRollbackWindowInDays
                            • BusinessReadyUpdatesOnly
                            • AutomaticUpdateMode
                            • InstallTime
                            • DeadlineForFeatureUpdatesInDays
                            • DeadlineForQualityUpdatesInDays
                            • DeadlineGracePeriodInDays
                            • PostponeRebootUntilAfterDeadline
                            • DriversExcluded
                            • RestartChecks
                            • SetDisablePauseUXAccess
                            • SetUXtoCheckforUpdates
                            |
                            • Allow
                            • Not Configured
                            • No
                            • 1
                            • 0
                            • 30
                            • All
                            • WindowsDefault
                            • 3
                            • 5
                            • 2
                            • 2
                            • False
                            • False
                            • Allow
                            • Disable
                            • Enable
                              • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

                              Assigned to:

                              • Modern Workplace Devices-Windows Autopatch-Fast
                              |
                              • MicrosoftProductUpdates
                              • EnablePrereleasebuilds
                              • UpgradetoLatestWin11
                              • QualityUpdatesDeferralPeriodInDays
                              • FeatureUpdatesDeferralPeriodInDays
                              • FeatureUpdatesRollbackWindowInDays
                              • BusinessReadyUpdatesOnly
                              • AutomaticUpdateMode
                              • InstallTime
                              • DeadlineForFeatureUpdatesInDays
                              • DeadlineForQualityUpdatesInDays
                              • DeadlineGracePeriodInDays
                              • PostponeRebootUntilAfterDeadline
                              • DriversExcluded
                              • RestartChecks
                              • SetDisablePauseUXAccess
                              • SetUXtoCheckforUpdates
                              |
                              • Allow
                              • Not Configured
                              • No
                              • 6
                              • 0
                              • 30
                              • All
                              • WindowsDefault
                              • 3
                              • 5
                              • 2
                              • 2
                              • False
                              • False
                              • Allow
                              • Disable
                              • Enable
                                • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

                                Assigned to:

                                • Modern Workplace Devices-Windows Autopatch-Broad
                                |
                                • MicrosoftProductUpdates
                                • EnablePrereleasebuilds
                                • UpgradetoLatestWin11
                                • QualityUpdatesDeferralPeriodInDays
                                • FeatureUpdatesDeferralPeriodInDays
                                • FeatureUpdatesRollbackWindowInDays
                                • BusinessReadyUpdatesOnly
                                • AutomaticUpdateMode
                                • InstallTime
                                • DeadlineForFeatureUpdatesInDays
                                • DeadlineForQualityUpdatesInDays
                                • DeadlineGracePeriodInDays
                                • PostponeRebootUntilAfterDeadline
                                • DriversExcluded
                                • RestartChecks
                                • SetDisablePauseUXAccess
                                • SetUXtoCheckforUpdates
                                |
                                • Allow
                                • Not Configured
                                • No
                                • 9
                                • 0
                                • 30
                                • All
                                • WindowsDefault
                                • 3
                                • 5
                                • 5
                                • 2
                                • False
                                • False
                                • Allow
                                • Disable
                                • Enable
                                  • | ## Windows feature update policies diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md new file mode 100644 index 0000000000..29795eceb9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-groups-public-preview-addendum.md @@ -0,0 +1,29 @@ +--- +title: Autopatch groups Public Preview Addendum +description: Addendum for Windows Autopatch groups public preview +ms.date: 05/01/2023 +ms.prod: windows-client +ms.technology: itpro-updates +ms.topic: how-to +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +ms.reviewer: andredm7 +--- + +# Windows Autopatch groups Public Preview Addendum + +**This is the Autopatch groups Public Preview Addendum ("Addendum") to the Microsoft Product Terms’ Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForallOnlineServices/all) (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**"). + +For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows: + +Microsoft desires to preview the Autopatch groups service it is developing ("**Autopatch groups Preview**”) in order to evaluate it. Customer would like to particulate this Autopatch groups Preview under the Product Terms and this Addendum. Autopatch groups Preview consists of features and services that are in preview, beta, or other pre-release form. Autopatch groups Preview is subject to the "preview" terms set forth in the Product Terms’ Universal License Terms for Online Services. + +## Definitions + +Capitalized terms used but not defined herein have the meanings given in the Product Terms. + +## Data Handling + +Autopatch groups Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Autopatch groups Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Autopatch groups Preview apply to that data. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md index 47d7aa1795..e8e54695c8 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md @@ -26,8 +26,8 @@ Window Autopatch deploys mobile device management (MDM) policies to configure Mi | ----- | ----- | ----- | | Set updates to occur automatically | Enabled | Enable automatic updates | | Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch | -| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch | +| Update channel | Monthly Enterprise | Supported channel for Windows Autopatch | | Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs | -| Set a deadline by when updates must be applied | 3 | Update deadline | +| Set a deadline by when updates must be applied | 7 | Update deadline | | Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated | | Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates | diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md index cd78ed1670..a279da8f47 100644 --- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md +++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md @@ -1,7 +1,7 @@ --- title: What's new 2023 description: This article lists the 2023 feature releases and any corresponding Message center post numbers. -ms.date: 03/30/2023 +ms.date: 05/01/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: whats-new @@ -18,6 +18,51 @@ This article lists new and updated feature releases, and service releases, with Minor corrections such as typos, style, or formatting issues aren't listed. +## May 2023 + +### May 2023 feature release + +| Article | Description | +| ----- | ----- | +| [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md) | Updated article to include Windows Autopatch groups. The Windows Autopatch groups feature is in public preview | +| [Register your devices](../deploy/windows-autopatch-register-devices.md) | Updated article to include Windows Autopatch groups. The Windows Autopatch groups feature is in public preview | +| [Windows Autopatch groups overview](../deploy/windows-autopatch-groups-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Software update management](../operate/windows-autopatch-groups-update-management.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Customize Windows Update settings](../operate/windows-autopatch-groups-windows-update.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update overview](../operate/windows-autopatch-groups-windows-quality-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update end user experience](../operate/windows-autopatch-groups-windows-quality-update-end-user-exp.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update signals](../operate/windows-autopatch-groups-windows-quality-update-signals.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update communications](../operate/windows-autopatch-groups-windows-quality-update-communications.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update overview](../operate/windows-autopatch-groups-windows-feature-update-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Manage Windows feature update](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality and feature update reports overview](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update summary dashboard](../operate/windows-autopatch-groups-windows-quality-update-summary-dashboard.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update status report](../operate/windows-autopatch-groups-windows-quality-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality update trending report](../operate/windows-autopatch-groups-windows-quality-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update summary dashboard](../operate/windows-autopatch-groups-windows-feature-update-summary-dashboard.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update status report](../operate/windows-autopatch-groups-windows-feature-update-status-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows feature update trending report](../operate/windows-autopatch-groups-windows-feature-update-trending-report.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Windows quality and feature update device alerts](../operate/windows-autopatch-device-alerts.md) | New article for the Windows Autopatch groups experience. Windows Autopatch groups is in public preview | +| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview | +| [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview | + +## April 2023 + +### April feature releases or updates + +| Article | Description | +| ----- | ----- | +| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section | + +### April 2023 service release + +| Message center post number | Description | +| ----- | ----- | +| [MC542842](https://admin.microsoft.com/adminportal/home#/MessageCenter) | April 2023 Windows Autopatch baseline configuration update | +| [MC538728](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Update: Windows Autopatch quality updates release communication | +| [MC536881](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Take action: Review Windows Autopatch Tenant management blade for potential action required to prevent inactive status | + ## March 2023 ### March feature releases or updates @@ -32,6 +77,8 @@ Minor corrections such as typos, style, or formatting issues aren't listed. | Message center post number | Description | | ----- | ----- | +| [MC536880](https://admin.microsoft.com/adminportal/home#/MessageCenter) | New Features in Windows Autopatch Public Preview | +| [MC535259](https://admin.microsoft.com/adminportal/home#/MessageCenter) | March 2023 Windows Autopatch baseline configuration update | | [MC527439](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Prepare for Windows Autopatch Groups | | [MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Public preview - Customize Windows Update settings | diff --git a/windows/deployment/windows-autopilot/images/all-groups.png b/windows/deployment/windows-autopilot/images/all-groups.png deleted file mode 100644 index 6ae904ed62..0000000000 Binary files a/windows/deployment/windows-autopilot/images/all-groups.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png b/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png deleted file mode 100644 index 0f458e9306..0000000000 Binary files a/windows/deployment/windows-autopilot/images/allow-white-glove-oobe.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/ap-ts-1.png b/windows/deployment/windows-autopilot/images/ap-ts-1.png deleted file mode 100644 index 5f4c33fd51..0000000000 Binary files a/windows/deployment/windows-autopilot/images/ap-ts-1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/ap-ts.png b/windows/deployment/windows-autopilot/images/ap-ts.png deleted file mode 100644 index 7c343176d0..0000000000 Binary files a/windows/deployment/windows-autopilot/images/ap-ts.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg b/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg deleted file mode 100644 index 3a16c0f219..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-configure.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg deleted file mode 100644 index 3a8f1578cb..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png b/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png deleted file mode 100644 index 1533f68c7c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-aad-mdm.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg b/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg deleted file mode 100644 index 137b6ca431..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-devices-add.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg deleted file mode 100644 index bc4bed8920..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-add.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg deleted file mode 100644 index 7604382113..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-assign.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg deleted file mode 100644 index c3c5307ce4..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-profile-configure.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg b/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg deleted file mode 100644 index a2717c68be..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-intune-sync.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg b/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg deleted file mode 100644 index bb2d641155..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-oobe.jpg and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png b/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png deleted file mode 100644 index d86cb57895..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-customlogin.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png b/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png deleted file mode 100644 index f6fa6d3467..0000000000 Binary files a/windows/deployment/windows-autopilot/images/autopilot-reset-lockscreen.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png b/windows/deployment/windows-autopilot/images/bitlocker-encryption.png deleted file mode 100644 index 96e2d94fb3..0000000000 Binary files a/windows/deployment/windows-autopilot/images/bitlocker-encryption.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/choice.png b/windows/deployment/windows-autopilot/images/choice.png deleted file mode 100644 index 881744eec5..0000000000 Binary files a/windows/deployment/windows-autopilot/images/choice.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/connector-fail.png b/windows/deployment/windows-autopilot/images/connector-fail.png deleted file mode 100644 index 2d8abb5785..0000000000 Binary files a/windows/deployment/windows-autopilot/images/connector-fail.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp1.png b/windows/deployment/windows-autopilot/images/csp1.png deleted file mode 100644 index 81e59080c8..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp2.png b/windows/deployment/windows-autopilot/images/csp2.png deleted file mode 100644 index 06cc80fe95..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp3.png b/windows/deployment/windows-autopilot/images/csp3.png deleted file mode 100644 index 8b0647e4b4..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp3a.png b/windows/deployment/windows-autopilot/images/csp3a.png deleted file mode 100644 index 3fb1291370..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp3a.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp3b.png b/windows/deployment/windows-autopilot/images/csp3b.png deleted file mode 100644 index c2034c1ebc..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp3b.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp4.png b/windows/deployment/windows-autopilot/images/csp4.png deleted file mode 100644 index ddada725b2..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp4.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp5.png b/windows/deployment/windows-autopilot/images/csp5.png deleted file mode 100644 index f43097c62b..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp5.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp6.png b/windows/deployment/windows-autopilot/images/csp6.png deleted file mode 100644 index 8b0647e4b4..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp6.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/csp7.png b/windows/deployment/windows-autopilot/images/csp7.png deleted file mode 100644 index 608128e5ab..0000000000 Binary files a/windows/deployment/windows-autopilot/images/csp7.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device3.png b/windows/deployment/windows-autopilot/images/delete-device3.png deleted file mode 100644 index a2daa1c39a..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device4.png b/windows/deployment/windows-autopilot/images/delete-device4.png deleted file mode 100644 index c0119fbc39..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device4.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device5.png b/windows/deployment/windows-autopilot/images/delete-device5.png deleted file mode 100644 index 33b539d33c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device5.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device6.png b/windows/deployment/windows-autopilot/images/delete-device6.png deleted file mode 100644 index 23cbcb7c44..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device6.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/delete-device7.png b/windows/deployment/windows-autopilot/images/delete-device7.png deleted file mode 100644 index dcdeee5205..0000000000 Binary files a/windows/deployment/windows-autopilot/images/delete-device7.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles.png b/windows/deployment/windows-autopilot/images/deployment-profiles.png deleted file mode 100644 index 7888da55d1..0000000000 Binary files a/windows/deployment/windows-autopilot/images/deployment-profiles.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/deployment-profiles2.png b/windows/deployment/windows-autopilot/images/deployment-profiles2.png deleted file mode 100644 index 6ff9fbb89e..0000000000 Binary files a/windows/deployment/windows-autopilot/images/deployment-profiles2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/device-import.png b/windows/deployment/windows-autopilot/images/device-import.png deleted file mode 100644 index 3be4cff996..0000000000 Binary files a/windows/deployment/windows-autopilot/images/device-import.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/device2.png b/windows/deployment/windows-autopilot/images/device2.png deleted file mode 100644 index 6f7d1a5df0..0000000000 Binary files a/windows/deployment/windows-autopilot/images/device2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/device3.png b/windows/deployment/windows-autopilot/images/device3.png deleted file mode 100644 index adf9c7a875..0000000000 Binary files a/windows/deployment/windows-autopilot/images/device3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/devices.png b/windows/deployment/windows-autopilot/images/devices.png deleted file mode 100644 index a5b0dd1899..0000000000 Binary files a/windows/deployment/windows-autopilot/images/devices.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/dfci.png b/windows/deployment/windows-autopilot/images/dfci.png deleted file mode 100644 index 6c68ed8b80..0000000000 Binary files a/windows/deployment/windows-autopilot/images/dfci.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/enabled-device.png b/windows/deployment/windows-autopilot/images/enabled-device.png deleted file mode 100644 index 96dc935309..0000000000 Binary files a/windows/deployment/windows-autopilot/images/enabled-device.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/enrollment-status-page.png b/windows/deployment/windows-autopilot/images/enrollment-status-page.png deleted file mode 100644 index 9bb550c20b..0000000000 Binary files a/windows/deployment/windows-autopilot/images/enrollment-status-page.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/esp-config.png b/windows/deployment/windows-autopilot/images/esp-config.png deleted file mode 100644 index eb9f94661f..0000000000 Binary files a/windows/deployment/windows-autopilot/images/esp-config.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/esp-settings.png b/windows/deployment/windows-autopilot/images/esp-settings.png deleted file mode 100644 index df0fe655e9..0000000000 Binary files a/windows/deployment/windows-autopilot/images/esp-settings.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/hh.png b/windows/deployment/windows-autopilot/images/hh.png deleted file mode 100644 index 98fbc3cd7b..0000000000 Binary files a/windows/deployment/windows-autopilot/images/hh.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/hwid-csv.png b/windows/deployment/windows-autopilot/images/hwid-csv.png deleted file mode 100644 index ac177e0b5a..0000000000 Binary files a/windows/deployment/windows-autopilot/images/hwid-csv.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/image1.png b/windows/deployment/windows-autopilot/images/image1.png deleted file mode 100644 index e5bd9e3cba..0000000000 Binary files a/windows/deployment/windows-autopilot/images/image1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/image2.png b/windows/deployment/windows-autopilot/images/image2.png deleted file mode 100644 index 9790d50b35..0000000000 Binary files a/windows/deployment/windows-autopilot/images/image2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/import-vm.png b/windows/deployment/windows-autopilot/images/import-vm.png deleted file mode 100644 index 5fb97cda5d..0000000000 Binary files a/windows/deployment/windows-autopilot/images/import-vm.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/include-group.png b/windows/deployment/windows-autopilot/images/include-group.png deleted file mode 100644 index fb7bca7efa..0000000000 Binary files a/windows/deployment/windows-autopilot/images/include-group.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/include-group2.png b/windows/deployment/windows-autopilot/images/include-group2.png deleted file mode 100644 index 585d006bac..0000000000 Binary files a/windows/deployment/windows-autopilot/images/include-group2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/intune-devices.png b/windows/deployment/windows-autopilot/images/intune-devices.png deleted file mode 100644 index bc29c76511..0000000000 Binary files a/windows/deployment/windows-autopilot/images/intune-devices.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/landing.png b/windows/deployment/windows-autopilot/images/landing.png deleted file mode 100644 index 13dea20b07..0000000000 Binary files a/windows/deployment/windows-autopilot/images/landing.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/mdm-config.png b/windows/deployment/windows-autopilot/images/mdm-config.png deleted file mode 100644 index 0b2dd14a53..0000000000 Binary files a/windows/deployment/windows-autopilot/images/mdm-config.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/mdm-intune.png b/windows/deployment/windows-autopilot/images/mdm-intune.png deleted file mode 100644 index db9b144fad..0000000000 Binary files a/windows/deployment/windows-autopilot/images/mdm-intune.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/msfb-manage2.png b/windows/deployment/windows-autopilot/images/msfb-manage2.png deleted file mode 100644 index 406aaf5948..0000000000 Binary files a/windows/deployment/windows-autopilot/images/msfb-manage2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/msfb-manage3.png b/windows/deployment/windows-autopilot/images/msfb-manage3.png deleted file mode 100644 index bf5fb1ccf9..0000000000 Binary files a/windows/deployment/windows-autopilot/images/msfb-manage3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/new-group.png b/windows/deployment/windows-autopilot/images/new-group.png deleted file mode 100644 index c18c1865f6..0000000000 Binary files a/windows/deployment/windows-autopilot/images/new-group.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/notepad.png b/windows/deployment/windows-autopilot/images/notepad.png deleted file mode 100644 index 0f243f95d6..0000000000 Binary files a/windows/deployment/windows-autopilot/images/notepad.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/pc-01a.png b/windows/deployment/windows-autopilot/images/pc-01a.png deleted file mode 100644 index a3d0f4cdea..0000000000 Binary files a/windows/deployment/windows-autopilot/images/pc-01a.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/pc-01b.png b/windows/deployment/windows-autopilot/images/pc-01b.png deleted file mode 100644 index 07eda6e4bb..0000000000 Binary files a/windows/deployment/windows-autopilot/images/pc-01b.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/pwd.png b/windows/deployment/windows-autopilot/images/pwd.png deleted file mode 100644 index c9b0e7837c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/pwd.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/reset.png b/windows/deployment/windows-autopilot/images/reset.png deleted file mode 100644 index 0619b7fa03..0000000000 Binary files a/windows/deployment/windows-autopilot/images/reset.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/sc.png b/windows/deployment/windows-autopilot/images/sc.png deleted file mode 100644 index bb326e6406..0000000000 Binary files a/windows/deployment/windows-autopilot/images/sc.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/sc1.png b/windows/deployment/windows-autopilot/images/sc1.png deleted file mode 100644 index 380887a45c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/sc1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png b/windows/deployment/windows-autopilot/images/self-deploy-welcome.png deleted file mode 100644 index 3ab1e4b304..0000000000 Binary files a/windows/deployment/windows-autopilot/images/self-deploy-welcome.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/up-1.PNG b/windows/deployment/windows-autopilot/images/up-1.PNG deleted file mode 100644 index c1284c53d2..0000000000 Binary files a/windows/deployment/windows-autopilot/images/up-1.PNG and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/up-2.PNG b/windows/deployment/windows-autopilot/images/up-2.PNG deleted file mode 100644 index 4891a3873a..0000000000 Binary files a/windows/deployment/windows-autopilot/images/up-2.PNG and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/up-3.PNG b/windows/deployment/windows-autopilot/images/up-3.PNG deleted file mode 100644 index 8b1e356f92..0000000000 Binary files a/windows/deployment/windows-autopilot/images/up-3.PNG and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update-flow.png b/windows/deployment/windows-autopilot/images/update-flow.png deleted file mode 100644 index c90f54e96c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update-flow.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update1.png b/windows/deployment/windows-autopilot/images/update1.png deleted file mode 100644 index 83d98a29b5..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update1.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update2.png b/windows/deployment/windows-autopilot/images/update2.png deleted file mode 100644 index 04dbcaddc1..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update2.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/update3.png b/windows/deployment/windows-autopilot/images/update3.png deleted file mode 100644 index 851adb58ec..0000000000 Binary files a/windows/deployment/windows-autopilot/images/update3.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg01.png b/windows/deployment/windows-autopilot/images/wg01.png deleted file mode 100644 index fa08be3f48..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg01.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg02.png b/windows/deployment/windows-autopilot/images/wg02.png deleted file mode 100644 index 5de01d6803..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg02.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg03.png b/windows/deployment/windows-autopilot/images/wg03.png deleted file mode 100644 index 89ac12747c..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg03.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg04.png b/windows/deployment/windows-autopilot/images/wg04.png deleted file mode 100644 index a59ea766b7..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg04.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg05.png b/windows/deployment/windows-autopilot/images/wg05.png deleted file mode 100644 index cea36fb6bd..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg05.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg06.png b/windows/deployment/windows-autopilot/images/wg06.png deleted file mode 100644 index 68cd29c24d..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg06.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/wg07.png b/windows/deployment/windows-autopilot/images/wg07.png deleted file mode 100644 index bc5a81bb3f..0000000000 Binary files a/windows/deployment/windows-autopilot/images/wg07.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/white-glove-result.png b/windows/deployment/windows-autopilot/images/white-glove-result.png deleted file mode 100644 index de3701e76d..0000000000 Binary files a/windows/deployment/windows-autopilot/images/white-glove-result.png and /dev/null differ diff --git a/windows/deployment/windows-autopilot/images/windows_glyph.png b/windows/deployment/windows-autopilot/images/windows_glyph.png deleted file mode 100644 index 3a41d4dfb1..0000000000 Binary files a/windows/deployment/windows-autopilot/images/windows_glyph.png and /dev/null differ diff --git a/windows/hub/doc-test.md b/windows/hub/doc-test.md deleted file mode 100644 index 86c3a11317..0000000000 --- a/windows/hub/doc-test.md +++ /dev/null @@ -1,154 +0,0 @@ ---- -title: Doc team test -description: A test article for the doc team's use. -ms.date: 05/10/2022 -ms.prod: windows-client -ms.technology: itpro-fundamentals -ms.topic: reference -ms.localizationpriority: null -ROBOTS: NOINDEX -author: aczechowski -ms.author: aaroncz -ms.reviewer: mstewart -manager: dougeby ---- - -# Doc team test - -This article is for testing purposes only. - -> [!NOTE] -> For more markdown examples and tips, see the **template.md** file at the root of the repository. Including examples of links and images. - -## Basic Markdown and GFM - -All basic and Github-flavored markdown is supported. For more information, see: - -- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax) -- [Github-flavored markdown (GFM) documentation](https://guides.github.com/features/mastering-markdown) - -## Headings - -Examples of first and second-level headings are above. - -There **must** be only one first level heading in your article, which will be displayed as the on-page title. - -Second-level headings will generate the on-page TOC that appears in the "In this article" section underneath the on-page title. - -### Third-level heading (`###`) -#### Fourth-level heading (`####`) -##### Fifth-level heading (`#####`) - -## Text styling - -_Italics_ (`_`) - -**Bold** (`**`) - -~~Strikethrough~~ (`~~`) - -## Lists - -### Ordered lists - -1. This -1. Is -1. An -1. Ordered -1. List - -#### Ordered list with an embedded list - -1. Here -1. Comes -1. An -1. Embedded - 1. Scarlett - 1. Professor Plum -1. Ordered -1. List - -### Unordered Lists - -- This -- Is -- A -- Bulleted -- List - -#### Unordered list with an embedded list - -- This -- Bulleted -- List - - Peacock - - Green -- Contains -- Other - 1. Colonel Mustard - 1. Yellow - 1. gold - 1. White - 1. cream - 1. silver -- Lists - -## Horizontal rule - ---- - -## Tables - -| Tables | Are | Cool | -|---------------------|:-------------:|------:| -| Column 3 is | Right-aligned | $1600 | -| Column 2 is | Centered | $12 | -| Column 1 is default | Left-aligned | $1 | - -## Code - -### Code block - -```json -{ - "aggregator": { - "batchSize": 1000, - flushTimeout": "00:00:30" - } -} - ``` - -### In-line code - -This example is for `in-line code`. - -## Blockquotes - -> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive. - -## Alerts - -### Note - -> [!NOTE] -> This alert is a NOTE - -### Warning - -> [!WARNING] -> This alert is a WARNING - -### Tip - -> [!TIP] -> This alert is a TIP - -### Caution - -> [!CAUTION] -> This alert is a CAUTION - -### Important - -> [!IMPORTANT] -> This alert is a IMPORTANT diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 92c7e04bad..69745dbbf6 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -60,7 +60,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ] }, "fileMetadata": {}, diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md index 0e92139786..82b280bbf7 100644 --- a/windows/privacy/Microsoft-DiagnosticDataViewer.md +++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md @@ -40,7 +40,7 @@ Using the Diagnostic Data Viewer for PowerShell requires administrative (elevate ### Install the Diagnostic Data Viewer for PowerShell >[!IMPORTANT] - >It is recommended to visit the documentation on [Getting Started](/powershell/scripting/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. + >It is recommended to visit the documentation on [Getting Started](/powershell/gallery/getting-started) with PowerShell Gallery. This page provides more specific details on installing a PowerShell module. To install the newest version of the Diagnostic Data Viewer PowerShell module, run the following command within an elevated PowerShell session: ```powershell @@ -180,4 +180,4 @@ When resetting the size of your data history to a lower value, be sure to turn o ## Related Links - [Module in PowerShell Gallery](https://www.powershellgallery.com/packages/Microsoft.DiagnosticDataViewer) -- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer/?) +- [Documentation for Diagnostic Data Viewer for PowerShell](/powershell/module/microsoft.diagnosticdataviewer) diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 9527d8b80f..669d5beebf 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -57,7 +57,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ] }, "searchScope": ["Windows 10"] diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 4984e4e28e..d71b135f49 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -23,6 +23,12 @@ href: information-protection/tpm/tpm-fundamentals.md - name: How Windows uses the TPM href: information-protection/tpm/how-windows-uses-the-tpm.md + - name: Manage TPM commands + href: information-protection/tpm/manage-tpm-commands.md + - name: Manager TPM Lockout + href: information-protection/tpm/manage-tpm-lockout.md + - name: Change the TPM password + href: information-protection/tpm/change-the-tpm-owner-password.md - name: TPM Group Policy settings href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md - name: Back up the TPM recovery information to AD DS @@ -33,6 +39,7 @@ href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md - name: TPM recommendations href: information-protection/tpm/tpm-recommendations.md + - name: Hardware-based root of trust href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md - name: System Guard Secure Launch and SMM protection @@ -314,6 +321,8 @@ items: - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md + - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings + href: threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-available-settings.md - name: Configure S/MIME for Windows href: identity-protection\configure-s-mime.md - name: Windows Credential Theft Mitigation Guide Abstract diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 5d4dda26a8..7504a93725 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -63,7 +63,8 @@ "AngelaMotherofDragons", "dstrome", "v-dihans", - "garycentric" + "garycentric", + "beccarobins" ], "searchScope": ["Windows 10"] }, diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index c4e5d43423..cf9c8484b0 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -29,6 +29,9 @@ The policy setting has three components: ## Configure unlock factors +> [!CAUTION] +> On Windows 11, when the [DontDisplayLastUserName](/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name) security policy is enabled, it is known to interfere with the ability to use multi factor unlock. + The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. Supported credential providers include: @@ -40,8 +43,8 @@ Supported credential providers include: |Facial Recognition| `{8AF662BF-65A0-4D0A-A540-A338A999D36F}`| |Trusted Signal
                                  (Phone proximity, Network location) | `{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}`| ->[!NOTE] ->Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. +> [!NOTE] +> Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table. The default credential providers for the **First unlock factor credential provider** include: diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 23537daa14..e63b129275 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -2,7 +2,7 @@ title: Windows Hello errors during PIN creation description: When you set up Windows Hello, you may get an error during the Create a work PIN step. ms.topic: troubleshooting -ms.date: 03/31/2023 +ms.date: 04/24/2023 --- # Windows Hello errors during PIN creation @@ -22,7 +22,7 @@ When a user encounters an error when creating the work PIN, advise the user to t 1. Try to create the PIN again. Some errors are transient and resolve themselves. 2. Sign out, sign in, and try to create the PIN again. 3. Reboot the device and then try to create the PIN again. -4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**. +4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings > System > About > Disconnect from organization**. If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. @@ -31,21 +31,21 @@ If the error occurs again, check the error code against the following table to s | 0x80090005 | NTE\_BAD\_DATA | Unjoin the device from Azure AD and rejoin. | | 0x8009000F | The container or key already exists. | Unjoin the device from Azure AD and rejoin. | | 0x80090011 | The container or key was not found. | Unjoin the device from Azure AD and rejoin. | -| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | +| 0x80090029 | TPM is not set up. | Sign on with an administrator account. Select **Start**, type `tpm.msc`, and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | | 0x8009002A | NTE\_NO\_MEMORY | Close programs which are taking up memory and try again. | | 0x80090031 | NTE\_AUTHENTICATION\_IGNORED | Reboot the device. If the error occurs again after rebooting, [reset the TPM](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd851452(v=ws.11)) or run [Clear-TPM](/powershell/module/trustedplatformmodule/clear-tpm). | | 0x80090035 | Policy requires TPM and the device does not have TPM. | Change the Windows Hello for Business policy to not require a TPM. | | 0x80090036 | User canceled an interactive dialog. | User will be asked to try again. | | 0x801C0003 | User is not authorized to enroll. | Check if the user has permission to perform the operation​. | -| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). | +| 0x801C000E | Registration quota reached. | Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](/azure/active-directory/devices/device-management-azure-portal). | | 0x801C000F | Operation successful, but the device requires a reboot. | Reboot the device. | | 0x801C0010 | The AIK certificate is not valid or trusted. | Sign out and then sign in again. | | 0x801C0011 | The attestation statement of the transport key is invalid. | Sign out and then sign in again. | | 0x801C0012 | Discovery request is not in a valid format. | Sign out and then sign in again. | -| 0x801C0015 | The device is required to be joined to an Active Directory domain. | ​Join the device to an Active Directory domain. | -| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. | -| 0x801C0017 | ​The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. | -| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. | +| 0x801C0015 | The device is required to be joined to an Active Directory domain. | Join the device to an Active Directory domain. | +| 0x801C0016 | The federation provider configuration is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the file is not empty. | +| 0x801C0017 | The federation provider domain is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the FPDOMAINNAME element is not empty. | +| 0x801C0018 | The federation provider client configuration URL is empty | Go to http://clientconfig.microsoftonline-p.net/FPURL.xml and verify that the CLIENTCONFIG element contains a valid URL. | | 0x801C03E9 | Server response message is invalid | Sign out and then sign in again. | | 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. | | 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. | @@ -53,10 +53,11 @@ If the error occurs again, check the error code against the following table to s | 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed.

                                  -or-

                                  Token was not found in the Authorization header.

                                  -or-

                                  Failed to read one or more objects.

                                  -or-

                                  The request sent to the server was invalid.

                                  -or-

                                  User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
                                  Allow user(s) to join to Azure AD under Azure AD Device settings. | 0x801C03EE | Attestation failed. | Sign out and then sign in again. | | 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. | -| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address. +| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address. | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0x801C0451 | User token switch account. | Delete the Web Account Manager token broker files located in `%LOCALAPPDATA%\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\AC\TokenBroker\Accounts\*.*\` and reboot.| | 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -72,7 +73,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE\_INTERNAL\_ERROR | -| 0x801C0001 | ​ADRS server response is not in a valid format. | +| 0x801C0001 | ADRS server response is not in a valid format. | | 0x801C0002 | Server failed to authenticate the user. | | 0x801C0006 | Unhandled exception from server. | | 0x801C000B | Redirection is needed and redirected location is not a well known server. | @@ -88,13 +89,3 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | | 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | -## Related topics - -- [Windows Hello for Business](hello-identity-verification.md) -- [How Windows Hello for Business works](hello-how-it-works.md) -- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) -- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) -- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md) -- [Windows Hello and password changes](hello-and-password-changes.md) -- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10) -- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md index 1367cb8301..9cd071eac6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md @@ -67,7 +67,7 @@ To configure Windows Hello for Business using an account protection policy: 1. Under **Block Windows Hello for Business**, select **Disabled** and multiple policies become available. - These policies are optional to configure, but it's recommended to configure **Enable to use a Trusted Platform Module (TPM)** to **Yes**. - For more information about these policies, see [MDM policy settings for Windows Hello for Business](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). -1. Under **Enable to certificate for on-premises resources**, select **Disabled** and multiple policies become available. +1. Under **Enable to certificate for on-premises resources**, select **Not configured** 1. Select **Next**. 1. Optionally, add **scope tags** and select **Next**. 1. Assign the policy to a security group that contains as members the devices or users that you want to configure > **Next**. @@ -138,7 +138,7 @@ You can configure Windows Hello for Business cloud Kerberos trust using a Group --- > [!IMPORTANT] -> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured** or **disabled**. +> If the **Use certificate for on-premises authentication** policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy **not configured**. ## Provision Windows Hello for Business diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md new file mode 100644 index 0000000000..facc36e2eb --- /dev/null +++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md @@ -0,0 +1,66 @@ +--- +title: Change the TPM owner password (Windows) +description: This topic for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. +ms.prod: windows-client +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- + +# Change the TPM owner password + +This article for the IT professional describes how to change the password or PIN for the owner of the Trusted Platform Module (TPM) that is installed on your system. + +## About the TPM owner password + +Starting with Windows 10, version 1607, Windows doesn't retain the TPM owner password when provisioning the TPM. The password is set to a random high entropy value and then discarded. + +> [!IMPORTANT] +> +> Although the TPM owner password isn't retained starting with Windows 10, version 1607, you can change a default registry key to retain it. However, we strongly recommend that you don't make this change. To retain the TPM owner password, under the registry key of +> +> `HKLM\Software\Policies\Microsoft\TPM` +> +> create a `REG_DWORD` value of `OSManagedAuthLevel` and set it to `4`. +> +> For Windows versions newer than Windows 10 1703, the default value for this key is 5. A value of 5 means: +> +> - **TPM 2.0**: Keep the lockout authorization. +> - **TPM 1.2**: Discard the Full TPM owner authorization and retain only the Delegated authorization. +> +> Unless the registry key value is changed from 5 to 4 before the TPM is provisioned, the owner password isn't saved. + +Only one owner password exists for each TPM. The TPM owner password allows the ability to enable, disable, or clear the TPM without having physical access to the computer, for example, by using the command-line tools remotely. The TPM owner password also allows manipulation of the TPM dictionary attack logic. Windows takes ownership of the TPM as part of the provisioning process on each boot. Ownership can change when you share the password or clear your ownership of the TPM so someone else can initialize it. + +Without the owner password, you can still perform all the preceding actions with a physical presence confirmation from UEFI. + +### Other TPM management options + +Instead of changing your owner password, you can also use the following options to manage your TPM: + +- **Clear the TPM** - If you want to invalidate all of the existing keys that have been created since you took ownership of the TPM, you can clear it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). + +- **Turn off the TPM** - With TPM 1.2 and Windows 10, versions 1507 and 1511, you can turn off the TPM. Turn off the TPM if you want to keep all existing keys and data intact and disable the services that are provided by the TPM. For more info, see [Turn off the TPM](initialize-and-configure-ownership-of-the-tpm.md#turn-off-the-tpm). + +## Changing the TPM owner password + +With Windows 10, version 1507 or 1511, if you have opted specifically to preserve the TPM owner password, you can use the saved password to change to a new password. + +To change to a new TPM owner password, in `TPM.msc`, select **Change Owner Password**, and follow the instructions. It prompts to provide the owner password file or to type the password. Then you can create a new password, either automatically or manually, and save the password in a file or as a printout. + +## Use the TPM cmdlets + +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule). + +## Related articles + +- [Trusted Platform Module](trusted-platform-module-top-node.md) diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md new file mode 100644 index 0000000000..24f72081df --- /dev/null +++ b/windows/security/information-protection/tpm/manage-tpm-commands.md @@ -0,0 +1,83 @@ +--- +title: Manage TPM commands (Windows) +description: This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. +ms.prod: windows-client +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- + +# Manage TPM commands + +This article for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users. + +After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands. + +The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group. + +## Block TPM commands by using the Local Group Policy Editor + +1. Open the Local Group Policy Editor (gpedit.msc). If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. + + > [!NOTE] + > + > Administrators with appropriate rights in a domain can configure a Group Policy Object (GPO) that can be applied through Active Directory Domain Services (AD DS). + +1. In the console tree, under **Computer Configuration**, expand **Administrative Templates**, and then expand **System**. + +1. Under **System**, select **Trusted Platform Module Services**. + +1. In the details pane, double-click **Configure the list of blocked TPM commands**. + +1. Select **Enabled**, and then select **Show**. + +1. For each command that you want to block, select **Add**, enter the command number, and then select **OK**. + + > [!NOTE] + > + > For a list of commands, see links in the [TPM Specification](https://www.trustedcomputinggroup.org/tpm-main-specification/). + +1. After you have added numbers for each command that you want to block, select **OK** twice. + +1. Close the Local Group Policy Editor. + +## Block or allow TPM commands by using the TPM MMC + +1. Open the TPM MMC (tpm.msc) + +1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. + +1. In the console tree, select **Command Management**. A list of TPM commands is displayed. + +1. In the list, select a command that you want to block or allow. + +1. Under **Actions**, select **Block Selected Command** or **Allow Selected Command** as needed. If **Allow Selected Command** is unavailable, that command is currently blocked by Group Policy. + +## Block new commands + +1. Open the TPM MMC (tpm.msc). + + If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**. + +1. In the console tree, select **Command Management**. A list of TPM commands is displayed. + +1. In the **Action** pane, select **Block New Command**. The **Block New Command** dialog box is displayed. + +1. In the **Command Number** text box, type the number of the new command that you want to block, and then select **OK**. The command number you entered is added to the blocked list. + +## Use the TPM cmdlets + +You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true). + +## Related articles + +- [Trusted Platform Module](trusted-platform-module-top-node.md) diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md new file mode 100644 index 0000000000..d89f660756 --- /dev/null +++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md @@ -0,0 +1,90 @@ +--- +title: Manage TPM lockout (Windows) +description: This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. +ms.prod: windows-client +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 +--- +# Manage TPM lockout + +This article for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows. + +## About TPM lockout + +The TPM locks itself to prevent tampering or malicious attacks. TPM lockout often lasts for a variable amount of time or until the computer is turned off. While the TPM is in lockout mode, it generally returns an error message when it receives commands that require an authorization value. One exception is that the TPM always allows the owner at least one attempt to reset the TPM lockout when it is in lockout mode. + +Windows takes ownership of the TPM ownership upon first boot. By default, Windows doesn't retain the TPM owner password. + +In some cases, encryption keys are protected by a TPM by requiring a valid authorization value to access the key. A common example is configuring BitLocker Drive Encryption to use the TPM plus PIN key protector. In this scenario, the user must type the correct PIN during the boot process to access the volume encryption key protected by the TPM. To prevent malicious users or software from discovering authorization values, TPMs implement protection logic. The protection logic is designed to slow or stop responses from the TPM if it detects that an entity might be trying to guess authorization values. + +### TPM 1.2 + +The industry standards from the Trusted Computing Group (TCG) specify that TPM manufacturers must implement some form of protection logic in TPM 1.2 and TPM 2.0 chips. TPM 1.2 devices implement different protection mechanisms and behavior. In general, the TPM chip takes exponentially longer to respond if incorrect authorization values are sent to the TPM. Some TPM chips may not store failed attempts over time. Other TPM chips may store every failed attempt indefinitely. Therefore, some users may experience increasingly longer delays when they mistype an authorization value that is sent to the TPM. These delays can prevent them from using the TPM for a period of time. + +### TPM 2.0 + +TPM 2.0 devices have standardized lockout behavior which Windows configures. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This configuration means that every continuous 10 minutes of powered on operation without an event causes the counter to decrease by 1. + +If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner's authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher. + +## Reset the TPM lockout by using the TPM MMC + +> [!NOTE] +> +> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password isn't available in Windows 10 starting with version 1607 and higher. + +The following procedure explains the steps to reset the TPM lockout by using the TPM MMC. + +### Reset the TPM lockout + +1. Open the TPM MMC (tpm.msc). + +1 In the **Action** pane, select **Reset TPM Lockout** to start the Reset TPM Lockout Wizard. + +1. Choose one of the following methods to enter the TPM owner password: + + - If you saved your TPM owner password to a `.tpm` file, select **I have the owner password file**, and then type the path to the file, or select **Browse** to navigate to the file location. + + - If you want to manually enter your TPM owner password, select **I want to enter the owner password**, and then type the password in the text box provided. + + > [!NOTE] + > + > If you enabled BitLocker and your TPM at the same time, and you printed your BitLocker recovery password when you turned on BitLocker, your TPM owner password may have printed with it. + +## Use Group Policy to manage TPM lockout settings + +The TPM Group Policy settings in the following list are located at: + +**Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services** + +- [Standard User Lockout Duration](trusted-platform-module-services-group-policy-settings.md#standard-user-lockout-duration) + + This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for TPM commands that require authorization. An authorization failure occurs each time a user sends a command to the TPM and receives an error message that indicates an authorization failure occurred. Authorization failures that are older than the duration you set are ignored. If the number of TPM commands with an authorization failure within the lockout duration equals a threshold, the user is prevented from sending commands to the TPM that require authorization. + +- [Standard User Individual Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-individual-lockout-threshold) + + This policy setting allows you to manage the maximum number of authorization failures for the TPM for each user. This value is the maximum number of authorization failures that each user can have before the user isn't allowed to send commands to the TPM that require authorization. If the number of authorization failures equals the duration that is set for the policy setting, the user is prevented from sending commands to the TPM that require authorization. + +- [Standard User Total Lockout Threshold](trusted-platform-module-services-group-policy-settings.md#standard-user-total-lockout-threshold) + + This policy setting allows you to manage the maximum number of authorization failures for the TPM for all standard users. If the total number of authorization failures for all users equals the duration that is set for the policy, all users are prevented from sending commands to the TPM that require authorization. + +For information about mitigating dictionary attacks that use the lockout settings, see [TPM fundamentals](tpm-fundamentals.md#anti-hammering). + +## Use the TPM cmdlets + +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/). + +## Related articles + +- [Trusted Platform Module](trusted-platform-module-top-node.md) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index 98746150c6..ea8fbab15b 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -179,8 +179,7 @@ The most common values: | 28 | Enc-tkt-in-skey | No information. | | 29 | Unused | - | | 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in its renew-till field hasn't passed. The ticket to be renewed is passed in the padata field as part of the authentication header. | -| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | -| ## Table 4. Kerberos encryption types | | | +| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Shouldn't be in use, because postdated tickets aren't supported by KILE. | - **Ticket Encryption Type**: \[Type = HexInt32\]: the cryptographic suite that was used for issued TGS. @@ -252,7 +251,7 @@ The table below contains the list of the most common error codes for this event: | 0x32 | KRB\_AP\_ERR\_INAPP\_CKSUM | Inappropriate type of checksum in message (checksum may be unsupported) | When KDC receives KRB\_TGS\_REQ message it decrypts it, and after the user-supplied checksum in the Authenticator MUST be verified against the contents of the request, and the message MUST be rejected if the checksums don't match (with an error code of KRB\_AP\_ERR\_MODIFIED) or if the checksum isn't collision-proof (with an error code of KRB\_AP\_ERR\_INAPP\_CKSUM). | | 0x33 | KRB\_AP\_PATH\_NOT\_ACCEPTED | Desired path is unreachable | No information. | | 0x34 | KRB\_ERR\_RESPONSE\_TOO\_BIG | Too much data | The size of a ticket is too large to be transmitted reliably via UDP. In a Windows environment, this message is purely informational. A computer running a Windows operating system will automatically try TCP if UDP fails. | -| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
                                  Multiple recent password changes hanven't propagated.
                                  Crypto subsystem error caused by running out of memory.
                                  SPN too long.
                                  SPN has too many parts. | +| 0x3C | KRB\_ERR\_GENERIC | Generic error | Group membership has overloaded the PAC.
                                  Multiple recent password changes haven't propagated.
                                  Crypto subsystem error caused by running out of memory.
                                  SPN too long.
                                  SPN has too many parts. | | 0x3D | KRB\_ERR\_FIELD\_TOOLONG | Field is too long for this implementation | Each request (KRB\_KDC\_REQ) and response (KRB\_KDC\_REP or KRB\_ERROR) sent over the TCP stream is preceded by the length of the request as 4 octets in network byte order. The high bit of the length is reserved for future expansion and MUST currently be set to zero. If a KDC that doesn't understand how to interpret a set high bit of the length encoding receives a request with the high order bit of the length set, it MUST return a KRB-ERROR message with the error KRB\_ERR\_FIELD\_TOOLONG and MUST close the TCP stream. | | 0x3E | KDC\_ERR\_CLIENT\_NOT\_TRUSTED | The client trust failed or is not implemented | This typically happens when user’s smart-card certificate is revoked or the root Certification Authority that issued the smart card certificate (in a chain) isn't trusted by the domain controller. | | 0x3F | KDC\_ERR\_KDC\_NOT\_TRUSTED | The KDC server trust failed or could not be verified | The trustedCertifiers field contains a list of certification authorities trusted by the client, in the case that the client doesn't possess the KDC's public key certificate. If the KDC has no certificate signed by any of the trustedCertifiers, then it returns an error of type KDC\_ERR\_KDC\_NOT\_TRUSTED. See [RFC1510](https://www.ietf.org/proceedings/50/I-D/cat-kerberos-pk-init-13.txt) for more details. | diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index d40726923d..f0fd6be3e9 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -159,6 +159,16 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f ``` +**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"** +```console +reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f +``` + +**To let memory integrity UI behave normally (Not grayed out)** +```console +reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f +``` + #### For Windows 10 version 1511 and earlier Recommended settings (to enable memory integrity, without UEFI Lock): diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 4f3fd11f90..85a59f77d7 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -628,7 +628,7 @@ For more details, expand each product section.
    • -## Cryprtographic algorithms +## Cryptographic algorithms The following tables are organized by cryptographic algorithms with their modes, states, and key sizes. For each algorithm implementation (operating system / platform), there is a link to the Cryptographic Algorithm Validation Program (CAVP) issued certificate.\ For more details, expand each algorithm section. @@ -1779,4 +1779,4 @@ SMB3 can be FIPS 140 compliant, if Windows is configured to operate in FIPS 140 [sp-3615]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3615.pdf [sp-3644]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3644.pdf [sp-3651]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3651.pdf -[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf \ No newline at end of file +[sp-3690]: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3690.pdf diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md index 8723d513d2..3c1ed6dcea 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md @@ -1,59 +1,57 @@ --- -title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings (Windows) +title: Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings description: A list of all available settings for Microsoft Defender SmartScreen using Group Policy and mobile device management (MDM) settings. ms.prod: windows-client -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 09/28/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.technology: itpro-security ms.topic: reference +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 --- # Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings -**Applies to:** - -- Windows 10 -- Windows 11 Microsoft Defender SmartScreen works with Intune, Group Policy, and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Microsoft Defender SmartScreen, you can show employees a warning page and let them continue to the site, or you can block the site entirely. -See [Windows 10 (and Windows 11) settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. - +See [Windows 10 and Windows 11 settings to protect devices using Intune](/intune/endpoint-protection-windows-10#windows-defender-smartscreen-settings) for the controls you can use in Intune. ## Group Policy settings + SmartScreen uses registry-based Administrative Template policy settings. Setting|Supported on|Description| |--- |--- |--- | |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure Windows Defender SmartScreen

    **Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\File Explorer\Configure Windows SmartScreen

    **At least Windows Server 2012, Windows 8 or Windows RT**|This policy setting turns on Microsoft Defender SmartScreen.

    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off. Additionally, when enabling this feature, you must also pick whether Microsoft Defender SmartScreen should Warn your employees or Warn and prevent bypassing the message (effectively blocking the employee from the site).

    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.| -|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting does not protect against malicious content from USB devices, network shares, or other non-internet sources.

    **Important:** Using a trustworthy browser helps ensure that these protections work as expected.| +|**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|**Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Explorer\Configure App Install Control|This policy setting is intended to prevent malicious content from affecting your user's devices when downloading executable content from the internet.

    This setting doesn't protect against malicious content from USB devices, network shares, or other non-internet sources.

    **Important:** Using a trustworthy browser helps ensure that these protections work as expected.| |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

    Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

    **Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Configure Windows Defender SmartScreen (Microsoft Edge version 45 and earlier)

    Administrative Templates\Microsoft Edge\SmartScreen settings\Configure Microsoft Defender SmartScreen (Microsoft Edge version 77 or later)

    **Windows 10, Version 1607 and earlier:** Administrative Templates\Windows Components\Microsoft Edge\Configure Windows SmartScreen|Microsoft Edge on Windows 10 or Windows 11|This policy setting turns on Microsoft Defender SmartScreen.

    If you enable this setting, it turns on Microsoft Defender SmartScreen and your employees are unable to turn it off.

    If you disable this setting, it turns off Microsoft Defender SmartScreen and your employees are unable to turn it on.

    If you don't configure this setting, your employees can decide whether to use Microsoft Defender SmartScreen.| |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

    Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

    **Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for files (Microsoft Edge version 45 and earlier)

    Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (Microsoft Edge version 77 or later)

    **Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for files|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious files.

    If you enable this setting, it stops employees from bypassing the warning, stopping the file download.

    If you disable or don't configure this setting, your employees can bypass the warnings and continue to download potentially malicious files.| |**Windows 10, version 2004:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

    Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

    **Windows 10, version 1703:** Administrative Templates\Windows Components\Windows Defender SmartScreen\Microsoft Edge\Prevent bypassing Windows Defender SmartScreen prompts for sites (Microsoft Edge version 45 and earlier)

    Administrative Templates\Microsoft Edge\SmartScreen settings\Prevent bypassing Microsoft Defender SmartScreen prompts for sites (Microsoft Edge version 77 or later)

    **Windows 10, Version 1511 and 1607:** Administrative Templates\Windows Components\Microsoft Edge\Prevent bypassing Windows SmartScreen prompts for sites|Microsoft Edge on Windows 10, version 1511 or later|This policy setting stops employees from bypassing the Microsoft Defender SmartScreen warnings about potentially malicious sites.

    If you enable this setting, it stops employees from bypassing the warning, stopping them from going to the site.

    If you disable or don't configure this setting, your employees can bypass the warnings and continue to visit a potentially malicious site.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.

    If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the employee.

    If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.| +|Administrative Templates\Windows Components\Internet Explorer\Prevent managing SmartScreen Filter|Internet Explorer 9 or later|This policy setting prevents the employee from managing Microsoft Defender SmartScreen.

    If you enable this policy setting, the employee isn't prompted to turn on Microsoft Defender SmartScreen. All website addresses that aren't on the filter's allowlist are sent automatically to Microsoft without prompting the employee.

    If you disable or don't configure this policy setting, the employee is prompted to decide whether to turn on Microsoft Defender SmartScreen during the first-run experience.| |Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings|Internet Explorer 8 or later|This policy setting determines whether an employee can bypass warnings from Microsoft Defender SmartScreen.

    If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

    If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| -|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users do not commonly download from the Internet.

    If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

    If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| - +|Administrative Templates\Windows Components\Internet Explorer\Prevent bypassing SmartScreen Filter warnings about files that aren't commonly downloaded from the Internet|Internet Explorer 9 or later|This policy setting determines whether the employee can bypass warnings from Microsoft Defender SmartScreen. Microsoft Defender SmartScreen warns the employee about executable files that Internet Explorer users don't commonly download from the Internet.

    If you enable this policy setting, Microsoft Defender SmartScreen warnings block the employee.

    If you disable or don't configure this policy setting, the employee can bypass Microsoft Defender SmartScreen warnings.| ## MDM settings -If you manage your policies using Microsoft Intune, you'll want to use these MDM policy settings. All settings support desktop computers running Windows 10 Pro or Windows 10 Enterprise, enrolled with Microsoft Intune.

    + +If you manage your policies using Microsoft Intune, use these MDM policy settings. All settings support desktop computers running Windows 10/11 Pro or Windows 10/11 Enterprise, enrolled with Microsoft Intune. + For Microsoft Defender SmartScreen Edge MDM policies, see [Policy CSP - Browser](/windows/client-management/mdm/policy-csp-browser). |Setting|Supported versions|Details| |--- |--- |--- | -|AllowSmartScreen|Windows 10|
  • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
  • **Data type.** Integer**Allowed values:**
    • **0 .** Turns off Microsoft Defender SmartScreen in Edge.
    • **1.** Turns on Microsoft Defender SmartScreen in Edge.| -|EnableAppInstallControl|Windows 10, version 1703|
    • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
    • **Data type.** Integer**Allowed values:**
      • **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
      • **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.| -|EnableSmartScreenInShell|Windows 10, version 1703|
      • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
      • **Data type.** Integer**Allowed values:**
        • **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
        • **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.| -|PreventOverrideForFilesInShell|Windows 10, version 1703|
        • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
        • **Data type.** Integer**Allowed values:**
          • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
          • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.| -|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
          • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
          • **Data type.** Integer**Allowed values:**
            • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
            • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.| -|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
            • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
            • **Data type.** Integer**Allowed values:**
              • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
              • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.| +|AllowSmartScreen|Windows 10|
              • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/AllowSmartScreen
              • **Data type.** Integer
              • **Allowed values:**
                • **0 .** Turns off Microsoft Defender SmartScreen in Microsoft Edge.
                • **1.** Turns on Microsoft Defender SmartScreen in Microsoft Edge.| +|EnableAppInstallControl|Windows 10, version 1703|
                • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableAppInstallControl
                • **Data type.** Integer
                • **Allowed values:**
                  • **0 .** Turns off Application Installation Control, allowing users to download and install files from anywhere on the web.
                  • **1.** Turns on Application Installation Control, allowing users to install apps from the Microsoft Store only.| +|EnableSmartScreenInShell|Windows 10, version 1703|
                  • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/EnableSmartScreenInShell
                  • **Data type.** Integer
                  • **Allowed values:**
                    • **0 .** Turns off Microsoft Defender SmartScreen in Windows for app and file execution.
                    • **1.** Turns on Microsoft Defender SmartScreen in Windows for app and file execution.| +|PreventOverrideForFilesInShell|Windows 10, version 1703|
                    • **URI full path.** ./Vendor/MSFT/Policy/Config/SmartScreen/PreventOverrideForFilesInShell
                    • **Data type.** Integer
                    • **Allowed values:**
                      • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings and run malicious files.
                      • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings and run malicious files.| +|PreventSmartScreenPromptOverride|Windows 10, Version 1511 and Windows 11|
                      • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartscreenPromptOverride
                      • **Data type.** Integer
                      • **Allowed values:**
                        • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings.
                        • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings.| +|PreventSmartScreenPromptOverrideForFiles|Windows 10, Version 1511 and Windows 11|
                        • **URI full path.** ./Vendor/MSFT/Policy/Config/Browser/PreventSmartScreenPromptOverrideForFiles
                        • **Data type.** Integer
                        • **Allowed values:**
                          • **0 .** Employees can ignore Microsoft Defender SmartScreen warnings for files.
                          • **1.** Employees can't ignore Microsoft Defender SmartScreen warnings for files.| ## Recommended Group Policy and MDM settings for your organization + By default, Microsoft Defender SmartScreen lets employees bypass warnings. Unfortunately, this feature can let employees continue to an unsafe site or to continue to download an unsafe file, even after being warned. Because of this possibility, we strongly recommend that you set up Microsoft Defender SmartScreen to block high-risk interactions instead of providing just a warning. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings. @@ -73,10 +71,6 @@ To better help you protect your organization, we recommend turning on and using |SmartScreen/EnableSmartScreenInShell|**1.** Turns on Microsoft Defender SmartScreen in Windows.

                            Requires at least Windows 10, version 1703.| |SmartScreen/PreventOverrideForFilesInShell|**1.** Stops employees from ignoring warning messages about malicious files downloaded from the Internet.

                            Requires at least Windows 10, version 1703.| -## Related topics - -- [Threat protection](../index.md) - -- [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen-overview.md) +## Related articles - [Available Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md index dbb586c517..e7f02d821d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md @@ -14,34 +14,32 @@ ms.collection: - highpri ms.date: 03/20/2023 ms.topic: article +appliesto: +- ✅ Windows 11 +- ✅ Windows 10 +- ✅ Microsoft Edge --- # Microsoft Defender SmartScreen -**Applies to:** - -- Windows 10 -- Windows 11 -- Microsoft Edge - Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. **Microsoft Defender SmartScreen determines whether a site is potentially malicious by:** -- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution. +- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it shows a warning page to advise caution. - Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. **Microsoft Defender SmartScreen determines whether a downloaded app or app installer is potentially malicious by:** - Checking downloaded files against a list of reported malicious software sites and programs known to be unsafe. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious. -- Checking downloaded files against a list of files that are well known and downloaded by many Windows users. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution. +- Checking downloaded files against a list of files that are well known and downloaded frequently. If the file isn't on that list, Microsoft Defender SmartScreen shows a warning, advising caution. ## Benefits of Microsoft Defender SmartScreen Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are: - **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user doesn't select or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/). -- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. +- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run. - **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. - **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). @@ -58,32 +56,6 @@ When submitting a file for Microsoft Defender SmartScreen, make sure to select * ![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png) -## Viewing Microsoft Defender SmartScreen anti-phishing events - -> [!NOTE] -> No SmartScreen events are logged when using Microsoft Edge version 77 or later. - -When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)). - -## Viewing Windows event logs for Microsoft Defender SmartScreen - -Microsoft Defender SmartScreen events appear in the Microsoft-Windows-SmartScreen/Debug log, in the Event Viewer. - -Windows event log for SmartScreen is disabled by default, users can use Event Viewer UI to enable the log or use the command line to enable it: - -```console -wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true -``` - -> [!NOTE] -> For information on how to use the Event Viewer, see [Windows Event Viewer](/host-integration-server/core/windows-event-viewer1). - -| EventID | Description | -|---|---| -| 1000 | Application Windows Defender SmartScreen Event | -| 1001 | Uri Windows Defender SmartScreen Event | -| 1002 | User Decision Windows Defender SmartScreen Event | - ## Related articles - [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md index 8597ee9893..aa2ffc3b9d 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md @@ -10,21 +10,19 @@ manager: aaroncz ms.localizationpriority: medium ms.date: 10/07/2022 adobe-target: true -appliesto: - - ✅ Windows 11, version 22H2 +appliesto: +- ✅ Windows 11, version 22H2 ms.topic: conceptual --- -# Enhanced Phishing Protection in Microsoft Defender SmartScreen +# Enhanced Phishing Protection in Microsoft Defender SmartScreen Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps. -Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways: - -- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account. +Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in these ways: +- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection alerts them. It also prompts them to change their password so attackers can't gain access to their account. - Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password. - - Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file. ## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen @@ -35,13 +33,13 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them. -- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment. +- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you can see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment. -- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled. +- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled. ## Configure Enhanced Phishing Protection for your organization -Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow the instructions below to configure your devices using either Microsoft Intune, GPO or CSP. +Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP. #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -50,10 +48,9 @@ To configure devices using Microsoft Intune, create a [**Settings catalog** poli |Setting|Description| |---------|---------| |Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
                          • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
                          • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
                            • | -|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| -|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| -|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| - +|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| +|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| +|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| Assign the policy to a security group that contains as members the devices or users that you want to configure. @@ -64,9 +61,9 @@ Enhanced Phishing Protection can be configured using the following Administrativ |Setting|Description| |---------|---------| |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
                          • If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
                          • If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
                            • | -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.| -|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
                          • If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.| +|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
                          • If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
                          • If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.| #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) @@ -83,7 +80,7 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][ ### Recommended settings for your organization -By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. +By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios. To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. @@ -106,7 +103,7 @@ To better help you protect your organization, we recommend turning on and using |Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.| #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) - + |MDM setting|Recommendation| |---------|---------| |ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| @@ -118,10 +115,8 @@ To better help you protect your organization, we recommend turning on and using ## Related articles -- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md) - [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) - [Threat protection](../index.md) -- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md) - [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference) ------------ diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml index 1e4b1fa586..df9030461f 100644 --- a/windows/security/threat-protection/security-policy-settings/TOC.yml +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -1,22 +1,22 @@ - name: Security policy settings href: security-policy-settings.md - items: + items: - name: Administer security policy settings href: administer-security-policy-settings.md - items: + items: - name: Network List Manager policies href: network-list-manager-policies.md - name: Configure security policy settings href: how-to-configure-security-policy-settings.md - name: Security policy settings reference href: security-policy-settings-reference.md - items: + items: - name: Account Policies href: account-policies.md - items: + items: - name: Password Policy href: password-policy.md - items: + items: - name: Enforce password history href: enforce-password-history.md - name: Maximum password age @@ -31,7 +31,7 @@ href: store-passwords-using-reversible-encryption.md - name: Account Lockout Policy href: account-lockout-policy.md - items: + items: - name: Account lockout duration href: account-lockout-duration.md - name: Account lockout threshold @@ -40,7 +40,7 @@ href: reset-account-lockout-counter-after.md - name: Kerberos Policy href: kerberos-policy.md - items: + items: - name: Enforce user logon restrictions href: enforce-user-logon-restrictions.md - name: Maximum lifetime for service ticket @@ -55,7 +55,7 @@ href: audit-policy.md - name: Security Options href: security-options.md - items: + items: - name: "Accounts: Administrator account status" href: accounts-administrator-account-status.md - name: "Accounts: Block Microsoft accounts" @@ -92,6 +92,8 @@ href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md - name: "Domain controller: Allow server operators to schedule tasks" href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server channel binding token requirements" + href: domain-controller-ldap-server-channel-binding-token-requirements.md - name: "Domain controller: LDAP server signing requirements" href: domain-controller-ldap-server-signing-requirements.md - name: "Domain controller: Refuse machine account password changes" @@ -250,7 +252,7 @@ href: secpol-advanced-security-audit-policy-settings.md - name: User Rights Assignment href: user-rights-assignment.md - items: + items: - name: Access Credential Manager as a trusted caller href: access-credential-manager-as-a-trusted-caller.md - name: Access this computer from the network diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 969423ed4a..713bd9297b 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -44,7 +44,7 @@ It's advisable to set **Account lockout duration** to approximately 15 minutes. ### Location -**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** +**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy** ### Default values diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index ccdce7a3f5..f401dbbe3c 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -89,7 +89,7 @@ The default configuration for the **Bypass traverse checking** setting is to all ### Countermeasure -Organizations that are concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users can't see any folder or file to which they don't have access. For more info about this feature, see [Access-based Enumeration](/previous-versions/windows/it-pro/windows-server-2003/cc784710(v=ws.10)). +Organizations that are concerned about security may want to remove the Everyone group from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users can't see any folder or file to which they don't have access. For more info about this feature, see [Access-based Enumeration](/previous-versions/windows/it-pro/windows-server-2003/cc784710(v=ws.10)). ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md new file mode 100644 index 0000000000..24614ad5c4 --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -0,0 +1,90 @@ +--- +title: Domain controller LDAP server channel binding token requirements +description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting. +ms.reviewer: waynmc +ms.author: waynmc +ms.prod: windows-client +ms.localizationpriority: medium +author: vinaypamnani-msft +manager: aaroncz +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +--- + +# Domain controller: LDAP server channel binding token requirements + +**Applies to**: + +- Windows Server + +This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server channel binding token requirements** security policy setting. + +## Reference + +This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate channel bindings (EPA). + +Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. + +- If channel binding is set to Always, LDAP clients who don't support channel bindings will be rejected. +- If channel binding is set to when supported, only incorrect channel bindings will be blocked, and clients who don't support channel binding can continue to connect via LDAP over TLS. + +CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. LDAP Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended. + +### Possible values + +- **Never**: No channel binding validation is performed. This is the behavior of all servers that haven't been updated. +- **When Supported**: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility. +- **Always**: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so. + +### Best practices + +We recommend that you set **Domain controller: LDAP server channel binding token requirements** to **Always**. Clients that don't support LDAP channel binding will be unable to execute LDAP queries against the domain controllers. + +### Location + +Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + +### Default values + +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. + +| Server type or GPO | Default value | +|--------------------------------------------|---------------| +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined | +| DC Effective Default Settings | None | +| Member Server Effective Default Settings | None | +| Client Computer Effective Default Settings | None | + +## Policy management + +This section describes features and tools that are available to help you manage this policy. + +### Restart requirement + +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. + +## Security considerations + +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + +### Vulnerability + +Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. + +### Countermeasure + +Configure the **Domain controller: LDAP server channel binding token requirements** setting to **Always**. + +### Potential impact + +Client devices that don't support LDAP channel binding can't run LDAP queries against the domain controllers. + +## Related articles + +- [Security Options](security-options.md) +- [LDAP session security settings and requirements after ADV190023 is installed](/troubleshoot/windows-server/identity/ldap-session-security-settings-requirements-adv190023) +- [2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a) +- [KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure](https://support.microsoft.com/topic/kb4034879-use-the-ldapenforcechannelbinding-registry-entry-to-make-ldap-authentication-over-ssl-tls-more-secure-e9ecfa27-5e57-8519-6ba3-d2c06b21812e) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 97e80da5c2..04b3c1eaac 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -4,10 +4,10 @@ description: Using Windows Defender Application Control (WDAC) supplemental poli ms.prod: windows-client ms.localizationpriority: medium author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 10/30/2019 +ms.date: 04/05/2023 ms.technology: itpro-security ms.topic: how-to --- @@ -17,14 +17,13 @@ ms.topic: how-to **Applies to:** - Windows 10 -- Windows 11 > [!NOTE] > Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. For more information, see [Windows Defender Application Control feature availability](feature-availability.md). -You can use Microsoft Intune to deploy and run critical Win32 applications and Windows components that are normally blocked in S mode on their Intune-managed Windows in S mode devices. For example, PowerShell.exe. +You can use Microsoft Intune to deploy and run critical Win32 applications, and Windows components that are normally blocked in S mode, on your Intune-managed Windows 10 in S mode devices. For example, PowerShell.exe. -With Intune, you can configure managed S mode devices using a Windows Defender Application Control supplemental policy that expands the S mode base policy to authorize the apps your organization uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization". +With Intune, you can configure managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps your organization uses. This feature changes the S mode security posture from "Microsoft has verified every app" to "Microsoft or your organization has verified every app". For an overview and brief demo of this feature, see this video: @@ -34,13 +33,13 @@ For an overview and brief demo of this feature, see this video: ![Basic diagram of the policy authorization flow.](images/wdac-intune-policy-authorization.png) -The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, before deploying the policy more broadly, assign it to a single test S-mode device to verify expected functioning. +The general steps for expanding the S mode base policy on your Intune-managed Windows 10 in S mode devices are to generate a supplemental policy, sign that policy, upload the signed policy to Intune, and assign it to user or device groups. Because you need access to PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, before deploying the policy more broadly, assign it to a single test Windows 10 in S mode device to verify expected functioning. -1. Generate a supplemental policy with Windows Defender Application Control tooling. +1. Generate a supplemental policy with WDAC tooling. This policy expands the S mode base policy to authorize more applications. Anything authorized by either the S mode base policy or your supplemental policy is allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more. - For more information on creating supplemental policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). For more information on the right type of rules to create for your policy, see [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md). + For more information on creating supplemental policies, see [Deploy multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md). For more information on the right type of rules to create for your policy, see [Deploy WDAC policy rules and file rules](select-types-of-rules-to-create.md). The following instructions are a basic set for creating an S mode supplemental policy: @@ -68,7 +67,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de - Since you're signing your policy, you must authorize the signing certificate you use to sign the policy. Optionally, also authorize one or more extra signers that can be used to sign updates to the policy in the future. The next step in the overall process, **Sign the policy**, describes it in more detail. - To add the signing certificate to the Windows Defender Application Control policy, use [Add-SignerRule](/powershell/module/configci/add-signerrule?view=win10-ps&preserve-view=true). + To add the signing certificate to the WDAC policy, use [Add-SignerRule](/powershell/module/configci/add-signerrule?view=win10-ps&preserve-view=true). ```powershell Add-SignerRule -FilePath -CertificatePath -User -Update @@ -82,7 +81,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de 2. Sign the policy. - Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). + Supplemental S mode policies must be digitally signed. To sign your policy, use your organization's custom Public Key Infrastructure (PKI). For more information on signing using an internal CA, see [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md). > [!TIP] > For more information, see [Azure Code Signing, democratizing trust for developers and consumers](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/azure-code-signing-democratizing-trust-for-developers-and/ba-p/3604669). @@ -110,7 +109,7 @@ Your supplemental policy can be used to significantly relax the S mode base poli Instead of authorizing signers external to your organization, Intune has functionality to make it easier to authorize existing applications by using signed catalogs. This feature doesn't require repackaging or access to the source code. It works for apps that may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate. -The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown above in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined above. For more information on generating catalogs, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). +The basic process is to generate a catalog file for each app using Package Inspector, then sign the catalog files using a custom PKI. To authorize the catalog signing certificate in the supplemental policy, use the **Add-SignerRule** PowerShell cmdlet as shown earlier in step 1 of the [Policy authorization process](#policy-authorization-process). After that, use the [Standard process for deploying apps through Intune](#standard-process-for-deploying-apps-through-intune) outlined earlier. For more information on generating catalogs, see [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md). > [!NOTE] > Every time an app updates, you need to deploy an updated catalog. Try to avoid using catalog files for applications that auto-update, and direct users not to update applications on their own. @@ -260,4 +259,4 @@ You can also delete a supplemental policy through Intune. ## Errata -If an S-mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active. +If a Windows 10 in S mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active. diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index b3e65b47bf..02d40db723 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -10,11 +10,11 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: vinaypamnani-msft -ms.reviewer: isbrahm +ms.reviewer: jsuther ms.author: vinpa manager: aaroncz ms.technology: itpro-security -ms.date: 12/31/2017 +ms.date: 04/05/2023 ms.topic: article --- @@ -22,36 +22,28 @@ ms.topic: article **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and later +- Windows 10 +- Windows 11 +- Windows Server 2016 and later > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](feature-availability.md). The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. -> [!IMPORTANT] -> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. +## COM object configurability in WDAC policy -### COM object configurability in WDAC policy - -Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. +Windows Defender Application Control (WDAC) enforces a built-in allowlist for COM object registration. While this list works for most common application usage scenarios, you may need to allow more COM objects to support the apps used in your organization. You can specify allowed COM objects via their GUID in your WDAC policy as described in this article. > [!NOTE] > To add this functionality to other versions of Windows 10, you can install the following or later updates. -- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371) -- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288) -- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://support.microsoft.com/help/4503281/windows-10-update-kb4503281) -- Windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://support.microsoft.com/help/4503289/windows-10-update-kb4503289 -- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://support.microsoft.com/help/4503294/windows-10-update-kb4503294) +- [Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592)](https://support.microsoft.com/help/4501371/windows-10-update-kb4501371) +- [Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053)](https://support.microsoft.com/help/4503294/windows-10-update-kb4503294) ### Get COM object GUID -Get GUID of application to allow in one of the following ways: -- Finding a block event in Event Viewer (Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script), and extracting GUID -- Creating an audit policy (using New-CIPolicy –Audit), potentially with a specific provider, and use the info from the block events to get the GUID +You can get the COM application GUID from the 8036 COM object block events in Event Viewer located at **Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script**, and extract the GUID from the event data. ### Author policy setting to allow or deny COM object GUID @@ -72,7 +64,7 @@ One attribute: ### Multiple policy considerations -Similar to executable files, COM objects must pass each policy on the system to be allowed by WDAC. For example, if the COM object under evaluation passes most but not all of your WDAC policies, the COM object will not be allowed. If you are using a combination of base and supplemental policies, the COM object just needs to be allowlisted in either the base policy or one of the supplemental policies. +Similar to executable files, COM objects must pass all enforced WDAC policies on the system to run. For example, if the COM object under evaluation passes most but not all of your WDAC policies, the COM object is blocked. If you're using a combination of base and supplemental policies, the COM object just needs to be allowlisted in either the base policy or one of the supplemental policies. ### Examples @@ -105,9 +97,10 @@ Example 3: Allows a specific COM object to register in PowerShell ``` + ### How to configure settings for the CLSIDs -Here's an example of an error in the Event Viewer (**Application and Service Logs** > **Microsoft** > **Windows** > **AppLocker** > **MSI and Script**): +Here's an example of an error in the Event Viewer found at **Application and Service Logs > Microsoft > Windows > AppLocker > MSI and Script**: > Log Name: Microsoft-Windows-AppLocker/MSI and Script
                            > Source: Microsoft-Windows-AppLocker
                            @@ -156,9 +149,9 @@ To add this CLSID to the existing policy, follow these steps: ```PowerShell PS C:\WINDOWS\system32> Set-CIPolicySetting -FilePath \WDAC_policy.xml -Key "{f8d253d9-89a4-4daa-87b6-1168369f0b21}" -Provider WSH -Value true -ValueName EnterpriseDefinedClsId -ValueType Boolean ``` - - Once the command has been run, you'll find that the following section is added to the policy XML. - + + Once the command has run, find the following section added to the policy XML. + ```XML @@ -167,9 +160,10 @@ To add this CLSID to the existing policy, follow these steps: ``` + ### Default COM Object allowlist -The table below describes the list of COM objects that are inherently trusted in Windows Defender Application Control. Objects in this list don't need to be allowlisted in your WDAC policies. They can be denied by creating explicit deny rules in your WDAC policy. +The table that follows describes the list of COM objects that are inherently trusted in Windows Defender Application Control. Objects in this list don't need to be allowlisted in your WDAC policies. They can be denied by creating explicit deny rules in your WDAC policy. | File Name | CLSID | |--------|-----------| diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index 935140572c..ff87d17d02 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -20,56 +20,11 @@ ms.topic: article # Guidance on Creating WDAC Deny Policies -With Windows Defender Application Control (WDAC), you can create policies to explicitly deny specific drivers and applications. +With Windows Defender Application Control (WDAC), you can create policies to explicitly deny specific drivers and applications. To create effective Windows Defender Application Control deny policies, you should [understand the order of rule precedence](/windows/security/threat-protection/windows-defender-application-control/operations/known-issues#file-rule-precedence-order) WDAC applies as it evaluates files against the active policies. -In this article we explain: +## Standalone Deny policy -1. File Rule Precedence Order -2. Adding Allow Rules -3. Single Policy Considerations -4. Multiple Policy Considerations -5. Best Practices -6. Tutorial - -## File Rule Precedence Order - -To create effective Windows Defender Application Control deny policies, it's crucial to understand how WDAC parses the policy. The WDAC engine evaluates files against the policy in the following order. - -1. Explicit deny rules - if any explicit deny rule exists for a file, it will not run even if other rules are created to try to allow it. Deny rules can use any [rule level](select-types-of-rules-to-create.md#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend. - -2. Explicit allow rules. - -3. WDAC will then check for the [Managed Installer extended (EA)](configure-authorized-apps-deployed-with-a-managed-installer.md) or the [Intelligent Security Graph (ISG) EA](use-windows-defender-application-control-with-intelligent-security-graph.md) on the file. - -4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG. - -5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. - -> [!NOTE] -> If your Windows Defender Application Control policy does not have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC will not make a call to the cloud. For more details, see [How does the integration between WDAC and the Intelligent Security Graph work?](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#how-does-wdac-work-with-the-isg). - -## Interaction with Existing Policies - -### Adding Allow Rules - -If this deny policy is the only policy on the device, the following rule(s) need to be added to the policy in addition to the deny/block rules to trust for the driver files outside of the intended blocklisted ones: - -```xml - - - - - - - - - - - - -``` - -If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-option, the following section needs to be added to the policy in addition to the deny/block rules to trust for the driver and user mode files outside of the intended blocklisted ones: +When creating a policy that consists solely of deny rules, you must include "Allow All" rules in both the kernel and user mode sections of the policy in addition to your explicit deny rules. The "Allow All" rules ensure that anything not explicitly denied by your policy is allowed to run. If you fail to add "Allow All" rules to a deny-only policy, then you risk blocking everything. This outcome happens because some code is *explicitly* denied and all other code is *implicitly* denied, because there are no rules to authorize it. We recommend using the [AllowAll policy template](/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies) when creating your standalone deny policies. ```xml @@ -77,7 +32,7 @@ If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-o - + @@ -94,9 +49,20 @@ If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-o ``` -## Single Policy Considerations +Adding the preceding "Allow All" rules don't affect any other WDAC policies you've deployed that apply an explicit allowlist. To illustrate, consider the following example: -If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules shouldn't be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the [WDAC Wizard](wdac-wizard-merging-policies.md) or using the following PowerShell command: +Policy1 is an allowlist for Windows- and Microsoft-signed applications. + +Policy2 is our new deny policy, which blocks MaliciousApp.exe and also the Windows component binary wmic.exe. It also includes the "Allow All" rules. + +- MaliciousApp.exe is blocked since there's an explicit block rule in Policy2. It's also *implicitly* blocked by Policy1 since there are no allow rules that cover the file in that policy. +- The Windows-signed file wmic.exe is blocked since there's an explicit block rule in Policy2. +- All other Windows- and Microsoft-signed applications are allowed since there's an explicit allow rule in both Policy1 and Policy2 that covers the file. +- All other applications are implicitly denied. For example, ExampleApp.exe, isn't allowed since it's only trusted by Policy2 (due to the Allow All rules) and not Policy1. + +## Mixed Allow and Deny policy considerations + +If the set of deny rules is to be added into an existing policy that includes explicit allow rules, then don't include the preceding "Allow All" rules. Instead, the deny rules should be merged with the existing WDAC policy via the [WDAC Wizard](wdac-wizard-merging-policies.md) or using the following PowerShell command: ```PowerShell $DenyPolicy = @@ -104,62 +70,45 @@ $ExistingPolicy = Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $ExistingPolicy ``` -## Multiple Policy Considerations - -If you're currently using [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the blocklist into your policy set. - -(Recommended) The first option is to keep the blocklist as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies.md#base-and-supplemental-policy-interaction), you'll need to add the Allow All rule(s) to your deny policy. Doing so won't override the set of applications allowed by WDAC illustrated by the following example: - -Policy 1 is an allowlist of Windows and Microsoft-signed applications. Policy 2 is our new deny policy, which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there's an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there's an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, for example, ExampleApp.exe, won't be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1. - -The second option involves merging the blocklist with your existing WDAC policy, regardless if the policy is an allowlist policy and contains allow and/or deny rules. - ## Best Practices -1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations.md) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md) +1. **Test first in Audit mode** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3076 audit block events](event-id-explanations.md) to ensure only the applications you intended to block are blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md) -2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher, which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules. +2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be used if necessary. Since the hash of a file changes with any change to the file, it's hard to keep up with a hash-based block policy where the attacker can trivially update the file. While WDAC has optimized parsing of hash rules, some devices may see performance impacts at runtime evaluation if policies have tens of thousands or more hash rules. -## Creating a Deny Policy Tutorial +## Creating a Deny policy tutorial Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/). We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash. -### Software Publisher Based Deny Rule +### Software Publisher-based deny rule ```Powershell $DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Fallback SignedVersion,Publisher,Hash -Deny ``` -### Software Attributes Based Deny Rule +### Software attributes-based deny rule ```Powershell $DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Fallback Hash -Deny ``` -### Hash Based Deny Rule +### Hash-based deny rule ```PowerShell - New-CIPolicyRule -Level Hash -DriverFilePath -Deny - ``` - -### Adding Allow All Rules - -If necessary, as in the cases listed above, [Allow All Rules](#adding-allow-rules) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the Allow All xml present on the client system in the WDAC template folder: - -```PowerShell -$DenyPolicy = -$AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" -Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPolicy +$DenyRules += New-CIPolicyRule -Level Hash -DriverFilePath -Deny ``` -### Deploying the Deny Policy +### Merge deny rules with AllowAll template policy -Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options: +After creating your deny rules, you can merge them with the AllowAll template policy: -1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM)](deployment/deploy-windows-defender-application-control-policies-using-intune.md) +```PowerShell +$DenyPolicy = +$AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml" +Merge-CIPolicy -PolicyPaths $AllowAllPolicy -OutputFilePath $DenyPolicy -Rules $DenyRules +Set-CiPolicyIdInfo -FilePath $DenyPolicy -PolicyName "My Deny Policy" -ResetPolicyID +``` -2. Configuration Manager: [Deploy Windows Defender Application Control (WDAC) policies by using Configuration Manager (Windows)](deployment/deploy-wdac-policies-with-memcm.md) +### Deploy the Deny Policy -3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md) - -4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deployment/deploy-windows-defender-application-control-policies-using-group-policy.md) +You should now have a deny policy prepared to deploy. See the [WDAC Deployment Guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) to deploy your policy to your managed endpoints. diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md index d8598308cd..1ddb9f84ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md @@ -9,7 +9,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 02/02/2023 +ms.date: 04/05/2023 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -31,47 +31,47 @@ ms.localizationpriority: medium ## Script enforcement overview -By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. The actual enforcement behavior, however, is handled entirely by the script host. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), simply block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device. +By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. However, the script host handles the actual enforcement behavior. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device. -Validation for signed scripts is done using the [WinVerifyTrust API](/windows/win32/api/wintrust/nf-wintrust-winverifytrust). To pass validation, the signature root must be present in the trusted root store on the device and be allowed by your WDAC policy. This behavior is different from WDAC validation for executable files, which doesn't require installation of the root certificate. +Validation for signed scripts is done using the [WinVerifyTrust API](/windows/win32/api/wintrust/nf-wintrust-winverifytrust). To pass validation, the signature root must be present in the trusted root store on the device and your WDAC policy must allow it. This behavior is different from WDAC validation for executable files, which doesn't require installation of the root certificate. -WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log). +WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event is logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log). > [!NOTE] > When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running. > -> Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly. +> Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the script host specific information in this article and test thoroughly within your environment to ensure the scripts you need to run are working properly. ## Enlightened script hosts that are part of Windows ### PowerShell -All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights. +Your WDAC policies must allow all PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) for them to run with Full Language rights. -Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that don't specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load. +Your WDAC policies must also allow any **dependent modules** that are loaded by an allowed module, and module functions must be exported explicitly by name when WDAC is enforced. Modules that don't specify any exported functions (no export name list) still load but no module functions are accessible. Modules that use wildcards (\*) in their name will fail to load. -Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode. +Any PowerShell script that isn't allowed by WDAC policy still runs, but only in Constrained Language Mode. -PowerShell **dot-sourcing** isn't recommended. Instead, scripts should use PowerShell modules to provide common functionality. If a script file that is allowed by WDAC does try to run dot-sourced script files, those script files must also be allowed by the policy. +PowerShell **dot-sourcing** isn't recommended. Instead, scripts should use PowerShell modules to provide common functionality. If an allowed script file does try to run dot-sourced script files, those script files must also pass the policy. -WDAC will put **interactive PowerShell** into Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. +WDAC puts **interactive PowerShell** into Constrained Language Mode if any WDAC UMCI policy is enforced and *any* active WDAC policy enables script enforcement, even if that policy is in audit mode. To run interactive PowerShell with Full Language rights, you must disable script enforcement for *all* policies. -For more information on PowerShell language modes, see [About Language Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes). +For more information, see [About Language Modes](/powershell/module/microsoft.powershell.core/about/about_language_modes) and [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/). ### VBscript, cscript, and jscript -All scripts run using the Windows Based Script Host (wscript.exe) or the Microsoft Console Based Script Host (cscript.exe) must be allowed by the WDAC policy. If not, the script will be blocked. +Your WDAC policies must allow all scripts run using the Windows Based Script Host (wscript.exe) or the Microsoft Console Based Script Host (cscript.exe). If not, the script is blocked. ### Microsoft HTML Application Host (MSHTA) and MSXML -If any WDAC policy is active that enables script enforcement, even if that policy is in audit mode, all code execution using MSHTA or MSXML will be blocked. +All code execution using MSHTA or MSXML is blocked if any WDAC policy with script enforcement is active, even if that policy is in audit mode. ### COM objects -WDAC additionally enforces a restricted allowlist for COM objects that can be expanded or further restricted by your WDAC policy. COM object enforcement **isn't** affected by option **11 Disabled:Script Enforcement**. For more information on how to allow or deny COM objects, see [Allow COM object registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy). +WDAC additionally enforces a restricted allowlist for COM objects that your WDAC policy can expand or further restrict. COM object enforcement **isn't** affected by option **11 Disabled:Script Enforcement**. For more information on how to allow or deny COM objects, see [Allow COM object registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy). ## Scripts that aren't directly controlled by WDAC -WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run will be subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process. See [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules). +WDAC doesn't directly control code run via the Windows Command Processor (cmd.exe), including .bat/.cmd script files. However, anything that such a batch script tries to run is subject to WDAC control. If you don't need to run cmd.exe, it's recommended to block it outright or allow it only by exception based on the calling process. See [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules). WDAC doesn't control scripts run through an unenlightened script host, such as many 3rd-party Java or Python engines. If your WDAC policy allows an unenlightened script host to run, then you implicitly allow all scripts run through that host. For non-Microsoft script hosts, you should check with the software vendor whether their script hosts are enlightened to WDAC policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 644f65163a..abd3fc56ae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -40,7 +40,7 @@ There may come a time when you want to remove one or more WDAC policies, or remo > > The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. > -> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. +> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. > > You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.*** @@ -107,58 +107,53 @@ For **single policy format WDAC policies**, in addition to the two locations abo Then restart the computer. -#### Sample script - -
                            - Expand this section to see a sample script to delete a single WDAC policy +#### Sample script to delete a single WDAC policy ```powershell - # Set PolicyId GUID to the PolicyId from your WDAC policy XML - $PolicyId = "{PolicyId GUID}" +# Set PolicyId GUID to the PolicyId from your WDAC policy XML +$PolicyId = "{PolicyId GUID}" - # Initialize variables - $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" - $SinglePolicyFormatFileName = "\SiPolicy.p7b" - $MountPoint = $env:SystemDrive+"\EFIMount" - $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity" - $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot" - $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip" +# Initialize variables +$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" +$SinglePolicyFormatFileName = "\SiPolicy.p7b" +$MountPoint = $env:SystemDrive+"\EFIMount" +$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity" +$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot" +$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip" - # Mount the EFI partition - $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] - if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } - mountvol $MountPoint $EFIPartition +# Mount the EFI partition +$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] +if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } +mountvol $MountPoint $EFIPartition - # Check if the PolicyId to be removed is the system reserved GUID for single policy format. - # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as - # {GUID}.cip in the CiPolicies\Active subdirectory - if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} - - $Count = 1 - while ($Count -le $NumFilesToDelete) +# Check if the PolicyId to be removed is the system reserved GUID for single policy format. +# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as +# {GUID}.cip in the CiPolicies\Active subdirectory +if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} + +$Count = 1 +while ($Count -le $NumFilesToDelete) +{ + + # Set the $PolicyPath to the file to be deleted, if exists + Switch ($Count) { - - # Set the $PolicyPath to the file to be deleted, if exists - Switch ($Count) - { - 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath} - 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath} - 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName} - 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName} - } - - # Delete the policy file from the current $PolicyPath - Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan - if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue} - - $Count = $Count + 1 + 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName} + 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName} } - # Dismount the EFI partition - mountvol $MountPoint /D -``` + # Delete the policy file from the current $PolicyPath + Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan + if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue} -
                            + $Count = $Count + 1 +} + +# Dismount the EFI partition +mountvol $MountPoint /D +``` > [!NOTE] > You must run the script as administrator to remove WDAC policies on your computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 04be400ff9..cc7b86329f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -13,7 +13,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 03/24/2023 +ms.date: 05/09/2023 ms.technology: itpro-security ms.topic: article --- @@ -62,35 +62,35 @@ Represents why verification failed, or if it succeeded. | VerificationError Value | Explanation | |---|----------| -| 0 | Successfully verified signature | -| 1 | File has an invalid hash | -| 2 | File contains shared writable sections | -| 3 | File isn't signed| -| 4 | Revoked signature | -| 5 | Expired signature | -| 6 | File is signed using a weak hashing algorithm, which doesn't meet the minimum policy | -| 7 | Invalid root certificate | -| 8 | Signature was unable to be validated; generic error | -| 9 | Signing time not trusted | -| 10 | The file must be signed using page hashes for this scenario | -| 11 | Page hash mismatch | -| 12 | Not valid for a PPL (Protected Process Light) | -| 13 | Not valid for a PP (Protected Process) | -| 14 | The signature is missing the required ARM processor EKU | -| 15 | Failed WHQL check | -| 16 | Default policy signing level not met | -| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs | -| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI | -| 19 | Binary is revoked based on its file hash | -| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy | -| 21 | Failed to pass Windows Defender Application Control policy | -| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a non-trustlet binary into a trustlet | -| 23 | Invalid image hash | -| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS | -| 25 | Anti-cheat policy violation | -| 26 | Explicitly denied by WADC policy | -| 27 | The signing chain appears to be tampered/invalid | -| 28 | Resource page hash mismatch | +| 0 | Successfully verified signature. | +| 1 | File has an invalid hash. | +| 2 | File contains shared writable sections. | +| 3 | File isn't signed. | +| 4 | Revoked signature. | +| 5 | Expired signature. | +| 6 | File is signed using a weak hashing algorithm, which doesn't meet the minimum policy. | +| 7 | Invalid root certificate. | +| 8 | Signature was unable to be validated; generic error. | +| 9 | Signing time not trusted. | +| 10 | The file must be signed using page hashes for this scenario. | +| 11 | Page hash mismatch. | +| 12 | Not valid for a PPL (Protected Process Light). | +| 13 | Not valid for a PP (Protected Process). | +| 14 | The signature is missing the required ARM processor EKU. | +| 15 | Failed WHQL check. | +| 16 | Default policy signing level not met. | +| 17 | Custom policy signing level not met; returned when signature doesn't validate against an SBCP-defined set of certs. | +| 18 | Custom signing level not met; returned if signature fails to match `CISigners` in UMCI. | +| 19 | Binary is revoked based on its file hash. | +| 20 | SHA1 cert hash's timestamp is missing or after valid cutoff as defined by Weak Crypto Policy. | +| 21 | Failed to pass Windows Defender Application Control policy. | +| 22 | Not Isolated User Mode (IUM)) signed; indicates an attempt to load a standard Windows binary into a virtualization-based security (VBS) trustlet. | +| 23 | Invalid image hash. This error can indicate file corruption or a problem with the file's signature. Signatures using elliptic curve cryptography (ECC), such as ECDSA, return this VerificationError. | +| 24 | Flight root not allowed; indicates trying to run flight-signed code on production OS. | +| 25 | Anti-cheat policy violation. | +| 26 | Explicitly denied by WADC policy. | +| 27 | The signing chain appears to be tampered/invalid. | +| 28 | Resource page hash mismatch. | ## Policy activation event Options diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index c3ca5cdf0c..4ef7702d87 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -8,7 +8,7 @@ metadata: author: vinaypamnani-msft ms.author: vinpa manager: aaroncz - ms.date: 12/07/2022 + ms.date: 04/05/2023 # linkListType: overview | how-to-guide | tutorial | video landingContent: # Cards and links should be based on top customer tasks or top subjects @@ -108,10 +108,12 @@ landingContent: - text: Deployment with group policy url: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md # Card - - title: Learn how to monitor WDAC events + - title: Learn how to troubleshoot and debug WDAC events linkLists: - linkListType: overview links: + - text: Debugging and troubleshooting + url: operations/wdac-debugging-and-troubleshooting.md - text: Understanding event IDs url: event-id-explanations.md - text: Understanding event Tags diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 68be5afd9a..e8331a7fcf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -113,9 +113,7 @@ If you wish to use this blocklist policy on Windows Server 2016, locate the deny The blocklist policy below includes "Allow all" rules for both kernel and user mode that make it safe to deploy as a standalone WDAC policy. On Windows versions 1903 and above, Microsoft recommends converting this policy to multiple policy format using the *Set-CiPolicyIdInfo* cmdlet with the *-ResetPolicyId* switch. Then, you can deploy it as a Base policy side-by-side with any other policies in your environment. To instead add these rules to an existing Base policy, you can merge the policy below using the *Merge-CIPolicy* cmdlet. If merging into an existing policy that includes an explicit allowlist, you should first remove the two "Allow all" rules and their corresponding FileRuleRefs from the sample policy below. -
                            -
                            - Expand this section to see the WDAC policy XML +**WDAC policy XML**: ```xml @@ -183,7 +181,7 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m - + @@ -893,8 +891,8 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m - - + + @@ -1512,8 +1510,6 @@ The blocklist policy below includes "Allow all" rules for both kernel and user m ``` -
                            - ## More information - [Merge WDAC policies](merge-windows-defender-application-control-policies.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 54c82d24ae..161e563a19 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -9,7 +9,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium audience: ITPro -ms.collection: +ms.collection: - highpri - tier3 author: jgeurten @@ -61,14 +61,39 @@ Customers who always want the most up-to-date driver blocklist can also use Wind ## Blocking vulnerable drivers using WDAC -Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. +Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events. > [!IMPORTANT] > Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from loading, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy will prevent the existing driver from loading. -
                            -
                            - Expand this section to see the blocklist WDAC policy XML +## Steps to download and apply the vulnerable driver blocklist binary + +If you prefer to apply the [vulnerable driver blocklist](#vulnerable-driver-blocklist-xml) exactly as shown, follow these steps: + +1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) +2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList) +3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b +4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity +5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer + +To check that the policy was successfully applied on your computer: + +1. Open Event Viewer +2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational** +3. Select **Filter Current Log...** +4. Replace "<All Event IDs>" with "3099" and select OK. +5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present. + +> [!NOTE] +> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot. + +## Vulnerable driver blocklist XML + +> [!IMPORTANT] +> The policy listed below contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). + +> [!NOTE] +> To use this policy with Windows Server 2016, you must convert the policy XML on a device running a newer operating system. ```xml @@ -642,11 +667,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + - + @@ -1079,7 +1104,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1213,7 +1238,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1228,7 +1253,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1238,7 +1263,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1402,7 +1427,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1811,8 +1836,8 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - + + @@ -1837,7 +1862,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1849,7 +1874,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -1894,7 +1919,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -2879,35 +2904,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- ``` -
                            - -> [!NOTE] -> The policy listed above contains **Allow All** rules. If your version of Windows supports WDAC multiple policies, we recommend deploying this policy alongside any existing WDAC policies. If you do plan to merge this policy with another policy, you may need to remove the **Allow All** rules before merging it if the other policy applies an explicit allow list. For more information, see [Create a WDAC Deny Policy](/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy#single-policy-considerations). - -> [!NOTE] -> To use the policy above with Windows Server 2016, you must convert the policy XML on a device running a newer operating system. - -## Steps to download and apply the vulnerable driver blocklist binary - -If you prefer to apply the vulnerable driver blocklist exactly as shown above, follow these steps: - -1. Download the [WDAC policy refresh tool](https://aka.ms/refreshpolicy) -2. Download and extract the [vulnerable driver blocklist binaries](https://aka.ms/VulnerableDriverBlockList) -3. Select either the audit only version or the enforced version and rename the file to SiPolicy.p7b -4. Copy SiPolicy.p7b to %windir%\system32\CodeIntegrity -5. Run the WDAC policy refresh tool you downloaded in Step 1 above to activate and refresh all WDAC policies on your computer - -To check that the policy was successfully applied on your computer: - -1. Open Event Viewer -2. Browse to **Applications and Services Logs - Microsoft - Windows - CodeIntegrity - Operational** -3. Select **Filter Current Log...** -4. Replace "<All Event IDs>" with "3099" and select OK. -5. Look for a 3099 event where the PolicyNameBuffer and PolicyIdBuffer match the Name and Id PolicyInfo settings found at the bottom of the blocklist WDAC Policy XML in this article. NOTE: Your computer may have more than one 3099 event if other WDAC policies are also present. - -> [!NOTE] -> If any vulnerable drivers are already running that would be blocked by the policy, you must reboot your computer for those drivers to be blocked. Running processes aren't shutdown when activating a new WDAC policy without reboot. - ## More information - [Merge Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies) diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md index 9c88206c87..7c5b349e1f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands.md @@ -5,7 +5,7 @@ author: valemieux ms.author: jogeurte ms.reviewer: jsuther1974 ms.topic: how-to -ms.date: 12/03/2022 +ms.date: 04/05/2023 ms.custom: template-how-to ms.prod: windows-client ms.technology: itpro-security @@ -44,66 +44,66 @@ CiTool makes Windows Defender Application Control (WDAC) policy management easie ## Examples -1. Deploy a WDAC policy +### Deploy a WDAC policy - ```powershell - CiTool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" - ``` +```powershell +CiTool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip" +``` -2. Refresh the WDAC policies on the system +### Refresh the WDAC policies on the system - ```powershell - CiTool --refresh - ``` +```powershell +CiTool --refresh +``` -3. Remove a specific WDAC policy by its policy ID +### Remove a specific WDAC policy by its policy ID - ```powershell - CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" - ``` +```powershell +CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}" +``` -4. List the actively enforced WDAC policies on the system +### List the actively enforced WDAC policies on the system - ```powershell - # Check each policy's IsEnforced state and return only the enforced policies - (CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"} | - Select-Object -Property PolicyID,FriendlyName | Format-List - ``` +```powershell +# Check each policy's IsEnforced state and return only the enforced policies +(CiTool -lp -json | ConvertFrom-Json).Policies | Where-Object {$_.IsEnforced -eq "True"} | +Select-Object -Property PolicyID,FriendlyName | Format-List +``` -5. Display the help menu +### Display the help menu - ```powershell - CiTool -h +```powershell +CiTool -h - ----------------------------- Policy Commands --------------------------------- - --update-policy /Path/To/Policy/File - Add or update a policy on the current system - aliases: -up - --remove-policy PolicyGUID - Remove a policy indicated by PolicyGUID from the system - aliases: -rp - --list-policies - Dump information about all policies on the system, whether they be active or not - aliases: -lp - ----------------------------- Token Commands --------------------------------- - --add-token Path/To/Token/File <--token-id ID> - Deploy a token onto the current system, with an optional specific ID - If is specified, a pre-existing token with should not exist. - aliases:-at - --remove-token ID - Remove a Token indicated by ID from the system. - aliases: -rt - --list-tokens - Dump information about all tokens on the system - aliases: -lt - ----------------------------- Misc Commands --------------------------------- - --device-id - Dump the Code Integrity Device Id - aliases: -id - --refresh - Attempt to Refresh CI Policies - aliases: -r - --help - Display this message - aliases: -h - ``` +----------------------------- Policy Commands --------------------------------- + --update-policy /Path/To/Policy/File + Add or update a policy on the current system + aliases: -up + --remove-policy PolicyGUID + Remove a policy indicated by PolicyGUID from the system + aliases: -rp + --list-policies + Dump information about all policies on the system, whether they be active or not + aliases: -lp +----------------------------- Token Commands --------------------------------- + --add-token Path/To/Token/File <--token-id ID> + Deploy a token onto the current system, with an optional specific ID + If is specified, a pre-existing token with should not exist. + aliases:-at + --remove-token ID + Remove a Token indicated by ID from the system. + aliases: -rt + --list-tokens + Dump information about all tokens on the system + aliases: -lt +----------------------------- Misc Commands --------------------------------- + --device-id + Dump the Code Integrity Device Id + aliases: -id + --refresh + Attempt to Refresh CI Policies + aliases: -r + --help + Display this message + aliases: -h +``` diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index f2125eb6c8..a9c0d42e86 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -9,7 +9,7 @@ ms.reviewer: jogeurte ms.author: jogeurte ms.manager: jsuther manager: aaroncz -ms.date: 02/02/2023 +ms.date: 05/09/2023 ms.technology: itpro-security ms.topic: article ms.localizationpriority: medium @@ -21,7 +21,7 @@ ms.localizationpriority: medium - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). @@ -37,7 +37,7 @@ This article covers tips and tricks for admins and known issues with Windows Def The *\{PolicyId GUID\}* value is unique by policy and defined in the policy XML with the <PolicyId> element. -For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations: +For **single policy format WDAC policies**, in addition to the two preceding locations, also look for a file called SiPolicy.p7b that may be found in the following locations: - <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b - <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b @@ -45,20 +45,46 @@ For **single policy format WDAC policies**, in addition to the two locations abo > [!NOTE] > A multiple policy format WDAC policy using the single policy format GUID `{A244370E-44C9-4C06-B551-F6016E563076}` may exist under any of the policy file locations. +## File Rule Precedence Order + +When the WDAC engine evaluates files against the active set of policies on the device, rules are applied in the following order. Once a file encounters a match, WDAC stops further processing. + +1. Explicit deny rules - if any explicit deny rule exists for the file, it's blocked even if other rules are created to try to allow it. Deny rules can use any [rule level](/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#windows-defender-application-control-file-rule-levels). Use the most specific rule level practical when creating deny rules to avoid blocking more than you intend. + +2. Explicit allow rules - if any explicit allow rule exists for the file, the file runs. + +3. WDAC then checks for the [Managed Installer extended attribute (EA)](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer) or the [Intelligent Security Graph (ISG) EA](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) on the file. If either EA exists and the policy enables the corresponding option, then the file is allowed. + +4. Lastly, WDAC makes a cloud call to the ISG to get reputation about the file, if the policy enables the ISG option. + +5. If no rule exists for the file and it's not allowed based on ISG or MI, then the file is blocked implicitly. + ## Known issues -### Managed Installer and ISG will cause garrulous events +### Boot stop failure (blue screen) occurs if more than 32 policies are active -When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy. +If the maximum number of policies is exceeded, the device may bluescreen referencing ci.dll with a bug check value of 0x0000003b. Consider this maximum policy count limit when planning your WDAC policies. Any [Windows inbox policies](/windows/security/threat-protection/windows-defender-application-control/operations/inbox-wdac-policies) that are active on the device also count towards this limit. + +### Managed Installer and ISG may cause excessive events + +When Managed Installer and ISG are enabled, 3091 and 3092 events are logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy. ### .NET native images may generate false positive block events -In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window. +In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written include error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image falls back to its corresponding assembly and .NET regenerates the native image at its next scheduled maintenance window. + +### Signatures using elliptical curve cryptography (ECC) aren't supported + +WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. You can authorize the files instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. + +### MSI installers are treated as user writeable on Windows 10 when allowed by FilePath rule + +MSI installer files are always detected as user writeable on Windows 10, and on Windows Server 2022 and earlier. If you need to allow MSI files using FilePath rules, you must set option **18 Disabled:Runtime FilePath Rule Protection** in your WDAC policy. ### MSI Installations launched directly from the internet are blocked by WDAC -Installing .msi files directly from the internet to a computer protected by WDAC will fail. -For example, this command won't work: +Installing .msi files directly from the internet to a computer protected by WDAC fails. +For example, this command fails: ```console msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md index 81ed21b671..190cbc0ca8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/wdac-debugging-and-troubleshooting.md @@ -5,7 +5,7 @@ author: valemieux ms.author: jogeurte ms.reviewer: jsuther1974 ms.topic: how-to -ms.date: 03/23/2023 +ms.date: 04/06/2023 ms.custom: template-how-to ms.prod: windows-client ms.technology: itpro-security @@ -255,3 +255,16 @@ To debug issues using ISG, try these steps: - Check that the AppLocker services are running. This information is found in $env:USERPROFILE\AppData\Local\Temp\DiagOutputDir\CiDiag\AppLockerServices.txt created in section 1 of this article. - [Use fsutil.exe](/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer#using-fsutil-to-query-extended-attributes-for-intelligent-security-graph-isg) to verify files have the ISG origin extended attribute. If not, redeploy the files with the managed installer and check again. - Check if the app is encountering a [known limitation with ISG](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#known-limitations-with-using-the-isg). + +## 4 - Report issues to Microsoft, if appropriate + +If after following the guidance covered by this article you believe you've identified a product issue, report the issue to Microsoft. + +- Customers with Microsoft Premier Support should log a service request through normal channels. +- All other customers can report issues directly to the WDAC product team via the Windows [Feedback Hub](feedback-hub:?contextid=790&tabid=2&newFeedback=true). Select the category **Security & Privacy - Application Control** to ensure the issue is properly routed to the WDAC product team. + +When reporting issues, be sure to provide the following information: + +- All [WDAC diagnostic data](#1---gather-wdac-diagnostic-data) described earlier. +- If possible, the blocked file(s). +- Clear instructions to reproduce the problem. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 5984fefcc0..ac8c1073a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -13,7 +13,7 @@ author: jgeurten ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz -ms.date: 03/03/2023 +ms.date: 05/09/2023 ms.technology: itpro-security ms.topic: article --- @@ -24,30 +24,18 @@ ms.topic: article - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [WDAC feature availability](feature-availability.md). -Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. - -WDAC is used to restrict devices to run only approved apps, while the operating system is hardened against kernel memory attacks using [hypervisor-protected code integrity (HVCI)](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control). +Windows Defender Application Control (WDAC) can control what runs on Windows 10, Windows 11, and Windows Server 2016 and later, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. ## Windows Defender Application Control policy rules -To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy: +To modify the policy rule options of an existing WDAC policy XML, use the [WDAC Policy Wizard](/windows/security/threat-protection/windows-defender-application-control/wdac-wizard) or the [Set-RuleOption](/powershell/module/configci/set-ruleoption) PowerShell cmdlet. -- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy, by running the following command: - - `Set-RuleOption -FilePath -Option 0` - - A policy created without the `-UserPEs` option has no rules for user mode code. If you enable UMCI (Option 0) for such a policy, all applications, including critical Windows user session code, are blocked. In audit mode, WDAC simply logs an event, but when enforced, all user mode code is blocked. To create a policy that includes user mode executables (applications), run `New-CIPolicy` with the `-UserPEs` option. - -- To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command: - - `Set-RuleOption -FilePath -Option 0 -Delete` - -You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether they have supplemental policies. However, option 5 isn't implemented as it's reserved for future work, and option 7 isn't supported. +You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether supplemental policies can set them. Some rule options are reserved for future work or not supported. > [!NOTE] > We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode. @@ -58,11 +46,11 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru |------------ | ----------- | ----------- | | **0 Enabled:UMCI** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. | No | | **1 Enabled:Boot Menu Protection** | This option isn't currently supported. | No | -| **2 Required:WHQL** | By default, legacy drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to execute. Enabling this rule requires that every executed driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No | +| **2 Required:WHQL** | By default, kernel drivers that aren't Windows Hardware Quality Labs (WHQL) signed are allowed to run. Enabling this rule requires that every driver is WHQL signed and removes legacy driver support. Kernel drivers built for Windows 10 should be WHQL certified. | No | | **3 Enabled:Audit Mode (Default)** | Instructs WDAC to log information about applications, binaries, and scripts that would have been blocked, if the policy was enforced. You can use this option to identify the potential impact of your WDAC policy, and use the audit events to refine the policy before enforcement. To enforce a WDAC policy, delete this option. | No | -| **4 Disabled:Flight Signing** | If enabled, flightroot-signed binaries aren't trusted. This option is useful for organizations that only want to run released binaries, not pre-release Windows builds. | No | +| **4 Disabled:Flight Signing** | If enabled, binaries from Windows Insider builds aren't trusted. This option is useful for organizations that only want to run released binaries, not prerelease Windows builds. | No | | **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes | -| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes | +| **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and any supplemental policies must also be signed. The certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. Certificates that are trusted for supplemental policies must be identified in the SupplementalPolicySigners section. | Yes | | **7 Allowed:Debug Policy Augmented** | This option isn't currently supported. | Yes | | **8 Required:EV Signers** | This option isn't currently supported. | No | | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No | @@ -72,18 +60,21 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes | | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes | | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option causes WDAC to periodically revalidate the reputation for files previously authorized by the ISG.| No | -| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
                            NOTE: This option is only supported on Windows 10, version 1709 and above.| No | -| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
                            NOTE: This option is only supported on Windows 10, version 1903 and above. | No | -| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.
                            NOTE: This option is only supported on Windows 10, version 1903 and above. | Yes | -| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
                            NOTE: This option is only supported on Windows 10, version 1803 and above. | No | -| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No | +| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
                            NOTE: This option is only supported on Windows 10, version 1709 and later, or Windows Server 2019 and later.| No | +| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
                            NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | No | +| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator.
                            NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes | +| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries.
                            NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels -File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary, or as general as a CA certificate. You specify file rule levels when using WDAC PowerShell cmdlets to create and modify policies. +File rule levels allow administrators to specify the level at which they want to trust their applications. This level of trust could be as granular as the hash of each binary, or as general as a CA certificate. You specify file rule levels when using the WDAC Wizard or WDAC PowerShell cmdlets to create and modify policies. Each file rule level has advantages and disadvantages. Use Table 2 to select the appropriate protection level for your available administrative resources and WDAC deployment scenario. +> [!NOTE] +> WDAC signer-based rules only work with RSA cryptography. ECC algorithms, such as ECDSA, aren't supported. If you try to allow files by signature based on ECC signatures, you'll see VerificationError = 23 on the corresponding 3089 signature information events. Files can be allowed instead by hash or file attribute rules, or using other signer rules if the file is also signed with signatures using RSA. + ### Table 2. Windows Defender Application Control policy - file rule levels | Rule level | Description | @@ -94,7 +85,7 @@ Each file rule level has advantages and disadvantages. Use Table 2 to select the | **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. | | **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). | | **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. | -| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. | +| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates typically have shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. | | **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root because the scan doesn't resolve the complete certificate chain via the local root stores or with an online check. | | **RootCertificate** | Not supported. | | **WHQL** | Only trusts binaries that have been submitted to Microsoft and signed by the Windows Hardware Qualification Lab (WHQL). This level is primarily for kernel binaries. | @@ -129,7 +120,7 @@ As part of normal operations, they'll eventually install software updates, or pe WDAC has a built-in file rule conflict logic that translates to precedence order. It first processes all explicit deny rules it finds. Then, it processes any explicit allow rules. If no deny or allow rule exists, WDAC checks for a [Managed Installer claim](deployment/deploy-wdac-policies-with-memcm.md) if allowed by the policy. Lastly, WDAC falls back to the [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md) if allowed by the policy. > [!NOTE] -> To make it easier to reason over your WDAC policies, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later. +> To make it easier to reason over your WDAC policies, we recommend maintaining separate ALLOW and DENY policies on Windows versions that support [multiple WDAC policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies). ## More information about filepath rules @@ -176,9 +167,6 @@ Without a wildcard, the filepath rule allows only a specific file (ex. `C:\foo\b > [!NOTE] > When authoring WDAC policies with Configuration Manager, there is an option to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, Configuration Manager performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the Configuration Manager policy is reapplied. -> [!NOTE] -> There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules. - ## More information about hashes WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more commonly known [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum, the Certificate Table, and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file's signatures and timestamps are altered, or when a digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated. @@ -190,7 +178,7 @@ The Authenticode/PE image hash can be calculated for digitally signed and unsign The PowerShell cmdlet produces an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash. During validation, WDAC selects which hashes are calculated based on how the file is signed and the scenario in which the file is used. For example, if the file is page-hash signed, WDAC validates each page of the file and avoids loading the entire file in memory to calculate the full sha256 authenticode hash. -In the cmdlets, rather than try to predict which hash will be used, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already. +In the cmdlets, rather than try to predict which hash will be used, we precalculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient to changes in how the file is signed since your WDAC policy has more than one hash available for the file already. ### Why does scan create eight hash rules for certain XML files? diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index 75657fc814..7dd82c84a1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 03/01/2018 +ms.date: 04/05/2023 ms.technology: itpro-security ms.topic: article --- @@ -33,12 +33,12 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes ## Types of devices -| **Type of device** | **How WDAC relates to this type of device** | +| Type of device | How WDAC relates to this type of device | |------------------------------------|------------------------------------------------------| -| **Lightly managed devices**: Company-owned, but users are free to install software.
                            Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | -| **Fully managed devices**: Allowed software is restricted by IT department.
                            Users can request for more software, or install from a list of applications provided by IT department.
                            Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves more applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
                            WDAC policies are supported by the HVCI service. | -| **Fixed-workload devices**: Perform same tasks every day.
                            Lists of approved applications rarely change.
                            Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
                            After Windows Defender Application Control deployment, only approved applications can run. This rule is because of protections offered by WDAC. | -| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control doesn't apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | +| **Lightly managed devices**: Company-owned, but users are free to install software.
                            Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | +| **Fully managed devices**: Allowed software is restricted by IT department.
                            Users can request for more software, or install from a list of applications provided by IT department.
                            Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves more applications, it updates the WDAC policy and (for unsigned LOB applications) the catalog. | +| **Fixed-workload devices**: Perform same tasks every day.
                            Lists of approved applications rarely change.
                            Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
                            After Windows Defender Application Control deployment, only approved applications can run. This rule is because of protections offered by WDAC. | +| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control doesn't apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | ## An introduction to Lamna Healthcare Company diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 0a270415dc..f5533a24b5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -7,15 +7,17 @@ author: jgeurten ms.reviewer: vinpa ms.author: jogeurte manager: aaroncz -ms.date: 10/11/2021 +ms.date: 04/05/2023 ms.technology: itpro-security ms.topic: article --- # Understanding WDAC Policy Settings -Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy.
                            -An example settings section of a Windows Defender Application Control Policy: +Windows Defender Application Control (WDAC) policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, ValueName, and a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy. + +An example settings section of a Windows Defender Application Control policy: + ```xml @@ -26,14 +28,16 @@ An example settings section of a Windows Defender Application Control Policy: ``` -### Example Scenario -An application that may want to restrict its capabilities, when used on a system with an active Windows Defender Application Control policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy.
                            +## Example Scenario +An application that may want to restrict its capabilities, when used on a system with an active Windows Defender Application Control policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy. + +## WldpQuerySecurityPolicy -### WldpQuerySecurityPolicy API that queries the secure settings of a Windows Defender Application Control policy. ### Syntax + ``` C++ HRESULT WINAPI WldpQuerySecurityPolicy( _In_ const UNICODE_STRING * Provider, @@ -45,26 +49,30 @@ HRESULT WINAPI WldpQuerySecurityPolicy( ``` ### Parameters + Provider [in] Setting Provider name. #### Key [in] + Key name of the Key-Value pair under Setting Provider "Provider". #### ValueName [in] + The value name of the "Key-Value" pair. #### ValueType [in, out] + Pointer to receive the value type. #### Value [in, out] -Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value. + +Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function returns the required buffer size for Value. #### ValueSize [in, out] + On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer. #### Return Value -This method returns S_OK if successful or a failure code otherwise. -#### Remarks -See [WDAC Policy Settings] for more information on WDAC policy settings. +This method returns S_OK if successful or a failure code otherwise. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index 1cac513952..9290f836ef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: vinaypamnani-msft -ms.reviewer: isbrahm +ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 09/30/2020 +ms.date: 04/04/2023 ms.custom: asr ms.technology: itpro-security ms.topic: article @@ -45,13 +45,12 @@ Windows Defender Application Control policies apply to the managed computer as a - The [path from which the app or file is launched](select-types-of-rules-to-create.md#more-information-about-filepath-rules) (beginning with Windows 10 version 1903) - The process that launched the app or binary -Prior to Windows 10 version 1709, Windows Defender Application Control was known as configurable code integrity (CCI). WDAC was also one of the features that comprised the now-defunct term "Device Guard." +> [!NOTE] +> WDAC was originally released as part of Device Guard and called configurable code integrity. Device Guard and configurable code integrity are no longer used except to find where to deploy WDAC policy via Group Policy. ### WDAC System Requirements -Windows Defender Application Control (WDAC) policies can be created on any client edition of Windows 10 build 1903+, or Windows 11, or on Windows Server 2016 and above. - -WDAC policies can be applied to devices running any edition of Windows 10, Windows 11, or Windows Server 2016 and above, via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 and Windows 11 Enterprise edition, or Windows Server 2016 and above, but can't deploy policies to devices running non-Enterprise SKUs of Windows 10. +Windows Defender Application Control (WDAC) policies can be created and applied on any client edition of Windows 10 or Windows 11, or on Windows Server 2016 and higher. WDAC policies can be deployed via a Mobile Device Management (MDM) solution, for example, Intune; a management interface such as Configuration Manager; or a script host such as PowerShell. Group Policy can also be used to deploy WDAC policies, but is limited to single-policy format policies that work on Windows Server 2016 and 2019. For more information on which individual WDAC features are available on specific WDAC builds, see [WDAC feature availability](feature-availability.md). @@ -61,9 +60,9 @@ AppLocker was introduced with Windows 7, and allows organizations to control whi AppLocker policies can apply to all users on a computer, or to individual users and groups. AppLocker rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file -- The path from which the app or file is launched +- Attributes of the codesigning certificate(s) used to sign an app and its binaries. +- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file. +- The path from which the app or file is launched. ### AppLocker System Requirements @@ -72,7 +71,7 @@ AppLocker policies can be deployed using Group Policy or MDM. ## Choose when to use WDAC or AppLocker -Generally, it's recommended that customers, who are able to implement application control using Windows Defender Application Control rather than AppLocker, do so. WDAC is undergoing continual improvements, and will be getting added support from Microsoft management platforms. Although AppLocker will continue to receive security fixes, it will not undergo new feature improvements. +Generally, it's recommended that customers, who are able to implement application control using Windows Defender Application Control rather than AppLocker, do so. WDAC is undergoing continual improvements, and is getting added support from Microsoft management platforms. Although AppLocker continues to receive security fixes, it isn't getting new feature improvements. However, in some cases, AppLocker may be the more appropriate technology for your organization. AppLocker is best when: diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 9f5f66cd38..2ba7d43f84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -13,10 +13,10 @@ ms.collection: - highpri - tier3 author: vinaypamnani-msft -ms.reviewer: isbrahm +ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 05/26/2020 +ms.date: 04/06/2023 ms.custom: asr ms.technology: itpro-security ms.topic: article @@ -53,7 +53,7 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy). -Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect. +Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or use [CiTool.exe -r](/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands#refresh-the-wdac-policies-on-the-system) for the change to take effect. | Value | Description | |-------|-------------| @@ -66,7 +66,7 @@ Smart App Control is only available on clean installation of Windows 11 version ### Smart App Control Enforced Blocks -Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: +Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control: - Infdefaultinstall.exe - Microsoft.Build.dll diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 4ff1d859be..e9dc1bb0cc 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: +ms.collection: - highpri - tier2 ms.topic: article @@ -30,6 +30,9 @@ A configuration file enables the user to control the following aspects of Window - **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth. - **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox. +> [!NOTE] +> The size of the sandbox window currently isn't configurable. + ## Creating a configuration file To create a configuration file: @@ -50,7 +53,7 @@ To create a configuration file: To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here: ```batch -C:\Temp> MyConfigFile.wsb +C:\Temp> MyConfigFile.wsb ``` ## Keywords, values, and limits @@ -77,6 +80,7 @@ Enables or disables networking in the sandbox. You can disable network access to `value` Supported values: + - *Enable*: Enables networking in the sandbox. - *Disable*: Disables networking in the sandbox. - *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. @@ -90,12 +94,12 @@ An array of folders, each representing a location on the host machine that will ```xml - - absolute path to the host folder - absolute path to the sandbox folder - value + + absolute path to the host folder + absolute path to the sandbox folder + value - + ... @@ -107,8 +111,7 @@ An array of folders, each representing a location on the host machine that will *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. - -> [!NOTE] +> [!NOTE] > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. ### Logon command @@ -133,13 +136,14 @@ Enables or disables audio input to the sandbox. `value` Supported values: + - *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability. - *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. - *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. > [!NOTE] > There may be security implications of exposing host audio input to the container. - + ### Video input Enables or disables video input to the sandbox. @@ -147,7 +151,8 @@ Enables or disables video input to the sandbox. `value` Supported values: -- *Enable*: Enables video input in the sandbox. + +- *Enable*: Enables video input in the sandbox. - *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox. - *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox. @@ -161,6 +166,7 @@ Applies more security settings to the sandbox Remote Desktop client, decreasing `value` Supported values: + - *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled. - *Disable*: Runs the sandbox in standard mode without extra security mitigations. - *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode. @@ -175,6 +181,7 @@ Enables or disables printer sharing from the host into the sandbox. `value` Supported values: + - *Enable*: Enables sharing of host printers into the sandbox. - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. - *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled. @@ -186,8 +193,9 @@ Enables or disables sharing of the host clipboard with the sandbox. `value` Supported values: + - *Enable*: Enables sharing of the host clipboard with the sandbox. -- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. +- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. - *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. ### Memory in MB @@ -199,6 +207,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB). If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. ## Example 1 + The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. ### Downloads.wsb @@ -230,7 +239,7 @@ With the Visual Studio Code installer script already mapped into the sandbox, th ### VSCodeInstall.cmd -Download vscode to `downloads` folder and run from `downloads` folder +Download vscode to `downloads` folder and run from `downloads` folder. ```batch REM Download Visual Studio Code @@ -261,3 +270,41 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` + +## Example 3 + +The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. + +`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. + +### SwapMouse.ps1 + +Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`. + +```powershell +[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null + +$SwapButtons = Add-Type -MemberDefinition @' +[DllImport("user32.dll")] +public static extern bool SwapMouseButton(bool swap); +'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru + +$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped)) +``` + +### SwapMouse.wsb + +```xml + + + + C:\sandbox + C:\sandbox + True + + + + powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1 + + +``` diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 6e2f83d198..74e81b1a05 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -5,7 +5,7 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: +ms.collection: - highpri - tier2 ms.topic: article @@ -22,6 +22,7 @@ A sandbox is temporary. When it's closed, all the software and files and the sta Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment. Windows Sandbox has the following properties: + - **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD. - **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application. @@ -32,13 +33,17 @@ Windows Sandbox has the following properties: > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). ## Prerequisites - -- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*) -- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture + +- Windows 10, version 1903 and later, or Windows 11 +- Windows Pro, Enterprise or Education edition +- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture - Virtualization capabilities enabled in BIOS - At least 4 GB of RAM (8 GB recommended) - At least 1 GB of free disk space (SSD recommended) -- At least two CPU cores (four cores with hyperthreading recommended) +- At least two CPU cores (four cores with hyper-threading recommended) + +> [!NOTE] +> Windows Sandbox is currently not supported on Windows Home edition ## Installation @@ -59,7 +64,7 @@ Windows Sandbox has the following properties: > [!NOTE] > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command: - > + > > ```powershell > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online > ``` @@ -67,9 +72,10 @@ Windows Sandbox has the following properties: 4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. > [!NOTE] - > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually. + > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). + +## Usage -## Usage 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. 2. Run the executable file or installer inside the sandbox. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 5220f9868b..238193ef00 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -75,6 +75,6 @@ There are several ways to get and use security baselines: ## See also -- [Microsoft Security Guidance Blog](/archive/blogs/secguide/) +- [Microsoft Security Baselines Blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) - [Microsoft Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319) - [Security Baseline Policy Analyzer](https://learn-video.azurefd.net/vod/player?show=defrag-tools&ep=174-security-baseline-policy-analyzer-lgpo) diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index e833279c7f..cdfcb018fb 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -59,7 +59,8 @@ "claydetels19", "jborsecnik", "tiburd", - "garycentric" + "garycentric", + "beccarobins" ], "searchScope": ["Windows 10"] }, diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index d696f8b2da..d5d3090339 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -8,7 +8,7 @@ author: mestew ms.localizationpriority: medium ms.topic: conceptual ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 04/05/2023 --- # What's new in Windows 10 Enterprise LTSC 2019 @@ -35,7 +35,8 @@ The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC use ## Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. However, Windows 10 update rings device profiles don't support LTSC releases. For installing software updates, use the [policy configuration service provider (CSP)](/windows/client-management/mdm/policy-csp-update), Windows Server Update Services (WSUS), or Microsoft Configuration Manager. +Microsoft Intune supports Windows 10 Enterprise LTSC 2019 with the following exception: +- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since Windows 10 LTSC versions don't receive feature updates. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2019 clients. ## Security @@ -200,7 +201,7 @@ Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joi - Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off. -- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- You can set up Windows Hello from lock screen for Microsoft accounts. We've made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. - New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index c766c7f2af..79dff6896a 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -8,15 +8,15 @@ author: mestew ms.localizationpriority: high ms.topic: conceptual ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 04/05/2023 --- # What's new in Windows 10 Enterprise LTSC 2021 **Applies to** -- Windows 10 Enterprise LTSC 2021 +- Windows 10 Enterprise LTSC 2021 -This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). +This article lists new and updated features and content that is of interest to IT Pros for Windows 10 Enterprise LTSC 2021, compared to Windows 10 Enterprise LTSC 2019 (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). > [!NOTE] > Features in Windows 10 Enterprise LTSC 2021 are equivalent to Windows 10, version 21H2.
                            @@ -75,11 +75,11 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)]( ### Virus and threat protection -[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) – IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL’s and IP addresses. -[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) – Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. - - Integrity enforcement capabilities – Enable remote runtime attestation of Windows 10 platform. - - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities – Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. -[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) – In addition to Windows 10, Microsoft Defender for Endpoint’s functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. +[Attack surface area reduction](/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction) - IT admins can configure devices with advanced web protection that enables them to define allowlists and blocklists for specific URL's and IP addresses. +[Next generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10) - Controls have been extended to protection from ransomware, credential misuse, and attacks that are transmitted through removable storage. + - Integrity enforcement capabilities - Enable remote runtime attestation of Windows 10 platform. + - [Tamper-proofing](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection) capabilities - Uses virtualization-based security to isolate critical Microsoft Defender for Endpoint security capabilities away from the OS and attackers. +[Platform support](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) - In addition to Windows 10, Microsoft Defender for Endpoint's functionality has been extended to support Windows 7 and Windows 8.1 clients, as well as macOS, Linux, and Windows Server with both its Endpoint Detection (EDR) and Endpoint Protection Platform (EPP) capabilities. **Advanced machine learning**: Improved with advanced machine learning and AI models that enable it to protect against apex attackers using innovative vulnerability exploit techniques, tools and malware. @@ -104,7 +104,7 @@ Windows Defender Firewall also now supports [Windows Subsystem for Linux (WSL)]( [Microsoft Defender Application Guard](/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview) enhancements include: - Standalone users can install and configure their Windows Defender Application Guard settings without needing to change registry key settings. Enterprise users can check their settings to see what their administrators have configured for their machines to better understand the behavior. - - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard’s browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. + - Application Guard is now an extension in Google Chrome and Mozilla Firefox. Many users are in a hybrid browser environment, and would like to extend Application Guard's browser isolation technology beyond Microsoft Edge. In the latest release, users can install the Application Guard extension in their Chrome or Firefox browsers. This extension will redirect untrusted navigation to the Application Guard Edge browser. There's also a companion app to enable this feature in the Microsoft Store. Users can quickly launch Application Guard from their desktop using this app. This feature is also available in Windows 10, version 1803 or later with the latest updates. To try this extension: 1. Configure Application Guard policies on your device. @@ -128,7 +128,7 @@ Application Guard performance is improved with optimized document opening times: [Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added many new features that light up key scenarios and provide feature parity with AppLocker. - - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy. + - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new 'supplemental' policy. - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that aren't user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for unknown admins. If a file is found to be user writeable, the executable is blocked from running unless it's authorized by something other than a path rule like a signer or hash rule.
                            This functionality brings WDAC to parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that isn't available with AppLocker. - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where more COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy. @@ -170,7 +170,8 @@ An in-place upgrade wizard is available in Configuration Manager. For more infor #### Microsoft Intune -Microsoft Intune supports Windows 10 Enterprise LTSC 2021, except for [Windows Update Rings](/mem/intune/configuration/device-profile-create#create-the-profile) in device profiles. +Microsoft Intune supports Windows 10 Enterprise LTSC 2021 with the following exception: +- [Update rings](/mem/intune/protect/windows-10-update-rings) can't be used for feature updates since Windows 10 LTSC versions don't receive feature updates. Update rings can be used for quality updates for Windows 10 Enterprise LTSC 2021 clients. A new Intune remote action: **Collect diagnostics**, lets you collect the logs from corporate devices without interrupting or waiting for the end user. For more information, see [Collect diagnostics remote action](/mem/intune/fundamentals/whats-new#collect-diagnostics-remote-action). diff --git a/windows/whats-new/removed-features.md b/windows/whats-new/removed-features.md index 06f89c6fff..0cfa8fb10e 100644 --- a/windows/whats-new/removed-features.md +++ b/windows/whats-new/removed-features.md @@ -40,6 +40,7 @@ The following features and functionalities have been removed from the installed |Feature | Details and mitigation | Support removed | | ----------- | --------------------- | ------ | +| Update Compliance | Update Compliance, a cloud-based service for the Windows client, is retired. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | March 31, 2023 | | Store uploader tool | Support has been removed for the store uploader tool. This tool is included in the Windows SDK only. The endpoint for the tool has been removed from service and the files will be removed from the SDK in the next release. | November, 2022 | | Internet Explorer 11 | The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10. You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite). The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11). | June 15, 2022 | | XDDM-based remote display driver | Support for Windows 2000 Display Driver Model (XDDM) based remote display drivers is removed in this release. Independent Software Vendors that use an XDDM-based remote display driver should plan a migration to the WDDM driver model. For more information on implementing remote display indirect display driver, see [Updates for IddCx versions 1.4 and later](/windows-hardware/drivers/display/iddcx1.4-updates). | 21H1 |