From 2889b7d39ddb0ab321bb3126f5fed3571b1785dd Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 10 Jan 2021 18:06:34 +0500 Subject: [PATCH 01/22] Update demonstrate-deployment-on-vm.md --- .../windows-autopilot/demonstrate-deployment-on-vm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 4753557b61..17d87f0e10 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -47,7 +47,7 @@ These are the things you'll need to complete this lab: -
Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
+An account with Azure AD Premium licenseThis guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab. ## Procedures From 6df567d30766537d2fad246c284da9af7bdc9f84 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 14 Jan 2021 22:32:22 +0500 Subject: [PATCH 02/22] Removal of Note As Gen 2 VMs are now available in Azure, the Credential guard feature is made available. So removing this note. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8938 --- .../credential-guard/credential-guard-manage.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 1d0b90717a..d09a59f416 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -262,10 +262,6 @@ To disable Windows Defender Credential Guard, you can use the following set of p >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS >bcdedit /set vsmlaunchtype off >``` - -> [!NOTE] -> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs. - For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity ). From 832863f12564b92d279f679d8869eb8e72a83369 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 15 Jan 2021 10:53:57 +0500 Subject: [PATCH 03/22] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index d09a59f416..0a55fcfb87 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -262,6 +262,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS >bcdedit /set vsmlaunchtype off >``` + For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity ). @@ -289,4 +290,3 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` - From 7b35767f69fd74cab0a59944c9cb5226fd429ea2 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 15 Jan 2021 10:58:32 +0500 Subject: [PATCH 04/22] Update in note section As suggested, I have updated the note section to reflect the correct information. --- .../credential-guard/credential-guard-manage.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 0a55fcfb87..a517440ce8 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -263,8 +263,10 @@ To disable Windows Defender Credential Guard, you can use the following set of p >bcdedit /set vsmlaunchtype off >``` -For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity -). +For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity). + +> [!Note] +> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. From edaa9bb008562633f237ecc061efdb9af7d723c6 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 15 Jan 2021 12:15:18 +0500 Subject: [PATCH 05/22] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index a517440ce8..4b7317b63f 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -265,7 +265,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity). -> [!Note] +> [!NOTE] > Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only. @@ -291,4 +291,3 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` - From 6490bb57ca76baa0dfc5b1cf15d4a581504ed9c0 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Fri, 26 Feb 2021 13:12:02 +0200 Subject: [PATCH 06/22] add note about enabling Sandbox using Powershell https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9098 --- .../windows-sandbox/windows-sandbox-overview.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index 81f95a98be..f64548bb5f 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -53,6 +53,10 @@ The following video provides an overview of Windows Sandbox. 1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2. + +>[!NOTE] +> To enable Sandbox using Powershell, open Powershell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online** + 1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. ## Usage From 986550052a720f47092a28fd51c8ca11ad8a1dd5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 28 Feb 2021 21:49:18 +0500 Subject: [PATCH 07/22] Update active-directory-security-groups.md --- .../access-control/active-directory-security-groups.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md index e408ad9ba8..76ef2c7179 100644 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md @@ -1853,7 +1853,7 @@ The Enterprise Key Admins group was introduced in Windows Server 2016. | Default container | CN=Users, DC=<domain>, DC= | | Default members | None | | Default member of | None | -| Protected by ADMINSDHOLDER? | No | +| Protected by ADMINSDHOLDER? | Yes | | Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | @@ -2331,7 +2331,7 @@ The Key Admins group applies to versions of the Windows Server operating system | Default container | CN=Users, DC=<domain>, DC= | | Default members | None | | Default member of | None | -| Protected by ADMINSDHOLDER? | No | +| Protected by ADMINSDHOLDER? | Yes | | Safe to move out of default container? | Yes | | Safe to delegate management of this group to non-Service admins? | No | | Default User Rights | None | From ccc262199ac3b8ee10e2fc2412b9229affeddd02 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 28 Feb 2021 22:32:52 +0500 Subject: [PATCH 08/22] Minor Modification in Note Section I have made a minor modifications in the note section so that it can reflect the correct information. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9070 --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 2cde160250..2ad708eb51 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -77,7 +77,7 @@ manager: dansimp Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers. +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable, not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other CSPs. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. From 9d9ddaa541b5c29ff2e60acb1b7f58e52bc02486 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 28 Feb 2021 22:55:22 +0500 Subject: [PATCH 09/22] Added another cause of boot failure If there is a blank GPT entry, the boot partition will not work. Added this info. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9145 --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index bdb67e2528..ceefb0fe5e 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -37,6 +37,8 @@ Any one of the following factors might cause the stop error: * Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) +* If there is a blank GPT entry before the entry of the boot partition. + ## Troubleshoot this error Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. From 162615d8464f280b903126f194f7fa2b93ba2a7a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 28 Feb 2021 23:03:11 +0500 Subject: [PATCH 10/22] Update windows/client-management/mdm/policy-csp-controlpolicyconflict.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 2ad708eb51..dc4e1091e9 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -77,7 +77,7 @@ manager: dansimp Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable, not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other CSPs. +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable, not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. @@ -128,4 +128,3 @@ Footnotes: - 8 - Available in Windows 10, version 2004. - From cb68de8b985e65faa8913cb889f5e61ae7b1365e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 28 Feb 2021 23:29:07 +0500 Subject: [PATCH 11/22] Update windows/client-management/troubleshoot-inaccessible-boot-device.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index ceefb0fe5e..c56106854e 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -37,7 +37,7 @@ Any one of the following factors might cause the stop error: * Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) -* If there is a blank GPT entry before the entry of the boot partition. +* If there is a blank GPT entry before the entry of the **Boot** partition. ## Troubleshoot this error From 2d2969a93faf1bcd5f9dd53c3405fb08dcb092b8 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 1 Mar 2021 12:23:03 +0500 Subject: [PATCH 12/22] Update windows/client-management/troubleshoot-inaccessible-boot-device.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../troubleshoot-inaccessible-boot-device.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index c56106854e..5a4572c445 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -35,9 +35,9 @@ Any one of the following factors might cause the stop error: * In unusual cases, the failure of the TrustedInstaller service to commit newly installed updates is because of component-based store corruptions -* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) +* Corrupted files in the **Boot** partition (for example, corruption in the volume that's labeled **SYSTEM** when you run the `diskpart` > `list vol` command) -* If there is a blank GPT entry before the entry of the **Boot** partition. +* If there is a blank GPT entry before the entry of the **Boot** partition ## Troubleshoot this error From a1afbcf7b9f3024aea6993c6b1a112e8bee52574 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 1 Mar 2021 12:28:54 +0500 Subject: [PATCH 13/22] Update windows/client-management/mdm/policy-csp-controlpolicyconflict.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index dc4e1091e9..29c6354afe 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -77,7 +77,7 @@ manager: dansimp Added in Windows 10, version 1803. This policy allows the IT admin to control which policy will be used whenever both the MDM policy and its equivalent Group Policy (GP) are set on the device. > [!NOTE] -> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable, not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. +> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. From 5440bfaaccdfd1f1e9dae94396d8157bc922678f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 1 Mar 2021 12:29:06 +0500 Subject: [PATCH 14/22] Update windows/client-management/mdm/policy-csp-controlpolicyconflict.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 29c6354afe..0bbc670a2b 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -79,7 +79,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh > [!NOTE] > MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs. -This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1. +This policy is used to ensure that MDM policy wins over GP when the policy is configured on the MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set to 1. Note: This policy doesn’t support the Delete command and doesn’t support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1. The following list shows the supported values: From 37c71692ba519f94970235215cad1151b91cc031 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 1 Mar 2021 10:27:52 +0200 Subject: [PATCH 15/22] Update windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../windows-sandbox/windows-sandbox-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index f64548bb5f..e27f3c108c 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -54,8 +54,8 @@ The following video provides an overview of Windows Sandbox. - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2. ->[!NOTE] -> To enable Sandbox using Powershell, open Powershell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online** +> [!NOTE] +> To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**. 1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. From ab042f611c03a632f3772cd13a35b47a30fc3acb Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 1 Mar 2021 11:56:10 -0800 Subject: [PATCH 16/22] Update policy-csp-controlpolicyconflict.md --- .../client-management/mdm/policy-csp-controlpolicyconflict.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index 0bbc670a2b..861d895848 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -5,9 +5,8 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 09/27/2019 ms.reviewer: manager: dansimp --- From d5efb4bf65a5802186c374a76fd0e31dd7271a09 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 7 Mar 2021 21:34:52 +0500 Subject: [PATCH 17/22] Modification in Note Section As mentioned in other GCC or DoD documentation, it states that GCC or DoD is only available using volume licensing. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9213 --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 8ea91fd4cc..141efb336f 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -91,7 +91,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each > The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). > [!NOTE] -> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC or GCC High tenants. +> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC,GCC High or, DoD tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: From 19d744c8e3755c4143b0fad884d887efc478a23f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 7 Mar 2021 21:56:14 +0500 Subject: [PATCH 18/22] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 141efb336f..1f059a990a 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -91,7 +91,7 @@ The following figure illustrates how deploying Windows 10 has evolved with each > The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). > [!NOTE] -> Currently, Subscription Activation is only available on commercial tenants and is not currently available on US GCC,GCC High or, DoD tenants. +> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: From 10c60a85720541bf64dfa0bf6385a5175503b36f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 9 Mar 2021 14:58:55 +0500 Subject: [PATCH 19/22] Update instruction The document was showing max inactivity time in seconds but in actual it is in minutes. Made the necessary changes. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9266#issuecomment-793088819 --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index b106637736..f68a71f820 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -677,7 +677,7 @@ The following list shows the supported values: -Specifies the maximum amount of time (in seconds) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. +Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. * On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. * On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy. From 430e50e77096dacfd9937dcd441b97b5b8a4b371 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 10 Mar 2021 16:44:06 +0500 Subject: [PATCH 20/22] Update windows-10-subscription-activation.md --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 8ea91fd4cc..c572e5062e 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -215,7 +215,7 @@ If you’re running Windows 7, it can be more work.  A wipe-and-load approach w The following policies apply to acquisition and renewal of licenses on devices: - Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. - If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. +- Up to five devices can be upgraded for each user license. If user license is used for the sixth device, the operating system on the computer to which user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education. - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. From 0fa5456cb0becb620bd71b2fa11ab3f2e3c243ef Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 14 Mar 2021 10:41:54 +0500 Subject: [PATCH 21/22] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index c572e5062e..7a4fd93ef5 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -215,7 +215,7 @@ If you’re running Windows 7, it can be more work.  A wipe-and-load approach w The following policies apply to acquisition and renewal of licenses on devices: - Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. - If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. If user license is used for the sixth device, the operating system on the computer to which user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education. +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education. - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. From 80adb60e9461a88789370aa680d995637890d23a Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 18 Mar 2021 20:33:06 -0700 Subject: [PATCH 22/22] Update windowsdefenderapplicationguard-csp.md Added clarification for implications of GP on uploads --- .../mdm/windowsdefenderapplicationguard-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 9c6de75b46..468313fb87 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -196,14 +196,14 @@ ADMX Info: **Settings/SaveFilesToHost** -Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. +Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. This also enables users to elect files on the host operating system and upload it through Edge in the container. Value type is integer. Supported operations are Add, Get, Replace, and Delete. This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode. The following list shows the supported values: -- 0 (default) - The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0). +- 0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy is not configured, it is the same as disabled (0). - 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.