deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into stevedia-P2

Browse Source
This commit is contained in:
Meghan Stewart 2023-07-24 13:19:48 -07:00
commit 7d73db459e
451 changed files with 22819 additions and 23673 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43843
.openpublishing.redirection.json
View File

File diff suppressed because it is too large Load Diff

44
education/includes/education-content-updates.md
View File

@ -2,6 +2,41 @@
## Week of July 10, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 7/14/2023 | [Microsoft 365 Education Documentation](/education/index) | modified |
| 7/14/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 7/14/2023 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 7/14/2023 | [Configure federation between Google Workspace and Azure AD](/education/windows/configure-aad-google-trust) | modified |
| 7/14/2023 | [Windows for Education documentation](/education/windows/index) | modified |
| 7/14/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
| 7/14/2023 | [Upgrade Windows Home to Windows Education on student-owned devices](/education/windows/change-home-to-edu) | modified |
| 7/14/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |
| 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | modified |
| 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | modified |
| 7/14/2023 | [Get Minecraft Education Edition](/education/windows/get-minecraft-for-education) | modified |
| 7/14/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 7/14/2023 | [Windows for Education documentation](/education/windows/index) | added |
| 7/14/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | added |
| 7/14/2023 | [Configure and secure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-settings) | added |
| 7/14/2023 | [Configure devices with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-devices-overview) | added |
| 7/14/2023 | [Enrollment in Intune with standard out-of-box experience (OOBE)](/education/windows/tutorial-school-deployment/enroll-aadj) | added |
| 7/14/2023 | [Enrollment in Intune with Windows Autopilot](/education/windows/tutorial-school-deployment/enroll-autopilot) | added |
| 7/14/2023 | [Device enrollment overview](/education/windows/tutorial-school-deployment/enroll-overview) | added |
| 7/14/2023 | [Enrollment of Windows devices with provisioning packages](/education/windows/tutorial-school-deployment/enroll-package) | added |
| 7/14/2023 | [Introduction](/education/windows/tutorial-school-deployment/index) | added |
| 7/14/2023 | [Manage devices with Microsoft Intune](/education/windows/tutorial-school-deployment/manage-overview) | added |
| 7/14/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | added |
| 7/14/2023 | [Reset and wipe Windows devices](/education/windows/tutorial-school-deployment/reset-wipe) | added |
| 7/14/2023 | [Set up Azure Active Directory](/education/windows/tutorial-school-deployment/set-up-azure-ad) | added |
| 7/14/2023 | [Set up device management](/education/windows/tutorial-school-deployment/set-up-microsoft-intune) | added |
| 7/14/2023 | [Troubleshoot Windows devices](/education/windows/tutorial-school-deployment/troubleshoot-overview) | added |
## Week of June 19, 2023
@ -15,12 +50,3 @@
| 6/23/2023 | [Troubleshoot app deployment issues in Windows SE](/education/windows/tutorial-deploy-apps-winse/troubleshoot) | added |
| 6/23/2023 | [Validate the applications deployed to Windows SE devices](/education/windows/tutorial-deploy-apps-winse/validate-apps) | added |
| 6/23/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified |
## Week of May 29, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 5/30/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified |
| 6/2/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |

2
education/windows/configure-windows-for-education.md
View File

@ -139,7 +139,7 @@ Provide an ad-free experience that is a safer, more private search option for K
#### Azure AD and Office 365 Education tenant
To suppress ads when searching with Bing on Microsoft Edge on any network, follow these steps:
1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-Yammer-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
1. Ensure your Office 365 tenant is registered as an education tenant. For more information, see [Verify your Office 365 domain to prove education status](https://support.office.com/article/Verify-your-Office-365-domain-to-prove-ownership-nonprofit-or-education-status-or-to-activate-viva-engage-87d1844e-aa47-4dc0-a61b-1b773fd4e590).
2. Domain join the Windows 10 PCs to your Azure AD tenant (this tenant is the same as your Office 365 tenant).
3. Configure **SetEduPolicies** according to one of the methods described in the previous sections in this topic.
4. Have students sign in with their Azure AD identity, which is the same as your Office 365 identity, to use the PC.

2
education/windows/deploy-windows-10-in-a-school-district.md
View File

@ -113,7 +113,7 @@ Office 365 Education allows:
* Students and faculty to use Office 365 Video to manage videos.
* Students and faculty to use Yammer to collaborate through private social networking.
* Students and faculty to use Viva Engage to collaborate through private social networking.
* Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).

4
education/windows/deploy-windows-10-in-a-school.md
View File

@ -68,7 +68,7 @@ Office 365 Education allows:
- Students and faculty to access up to 1 TB of personal cloud storage that users inside and outside the educational institution can share through OneDrive for Business.
- Teachers to provide collaboration in the classroom through Microsoft SharePoint Online team sites.
- Students and faculty to use Office 365 Video to manage videos.
- Students and faculty to use Yammer to collaborate through private social networking.
- Students and faculty to use Viva Engage to collaborate through private social networking.
- Students and faculty to access classroom resources from anywhere on any device (including iOS and Android devices).
For more information about Office 365 Education features and a FAQ, go to [Office 365 Education](https://www.microsoft.com/microsoft-365/academic/compare-office-365-education-plans).
@ -236,7 +236,7 @@ Now that you've created your new Office 365 Education subscription, add the doma
To make it easier for faculty and students to join your Office 365 Education subscription (or *tenant*), allow them to automatically sign up to your tenant (*automatic tenant join*). In automatic tenant join, when a faculty member or student signs up for Office 365, Office 365 automatically adds (joins) the user to your Office 365 tenant.
> [!NOTE]
> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries require opt-in steps to add new users to existing Office 365 tenants. Check your country requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
> By default, automatic tenant join is enabled in Office 365 Education, except for certain areas in Europe, the Middle East, and Africa. These countries/regions require opt-in steps to add new users to existing Office 365 tenants. Check your country/region requirements to determine the automatic tenant join default configuration. Also, if you use Azure AD Connect, then automatic tenant join is disabled.
Office 365 uses the domain portion of the users email address to know which Office 365 tenant to join. For example, if a faculty member or student provides an email address of user@contoso.edu, then Office 365 automatically performs one of the following tasks:

26
education/windows/windows-11-se-overview.md
View File

@ -93,6 +93,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` |
| `Class Policy` | 116.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
@ -100,7 +101,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.8 | Win32 | `e-speaking` |
| `Dyknow` | 7.9.13.7 | Win32 | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | Win32 | `e-speaking` |
| `EasyReader` | 10.0.4.498 | Win32 | `Dolphin Computer Access` |
| `Easysense 2` | 1.32.0001 | Win32 | `Data Harvest` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
@ -112,10 +114,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` |
| `GuideConnect` | 1.23 | Win32 | `Dolphin Computer Access` |
| `GuideConnect` | 1.24 | Win32 | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
| `Impero Backdrop Client` | 5.0.87 | Win32 | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` |
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
@ -126,6 +128,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
| `Lightspeed Filter Agent` | 2.3.4 | Win32 | `Lightspeed Systems` |
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
@ -137,29 +140,32 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | Win32 | `NWEA` |
| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.3213.0 | Win32 | `Microsoft` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | Win32 | `Microsoft` |
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` |
|`SchoolYear` | 3.4.7 | Win32 |`SchoolYear` |
| `Safe Exam Browser` | 3.5.0.544 | Win32 | `Safe Exam Browser` |
|`SchoolYear` | 3.4.21 | Win32 |`SchoolYear` |
|`School Manager` | 3.6.8.1109 | Win32 |`School Manager` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Skoolnext` | 2.19 | Win32 | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Screen Reader` | 22.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.29 | Win32 | `WordQ` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2022.2109.10 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2022.2109.25 | Win32 | `Freedom Scientific` |
| `ZoomText Fusion` | 2023.2303.77.400 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | Win32 | `Freedom Scientific` |
## Add your own applications

16
includes/licensing/_edition-requirements.md
View File

@ -28,15 +28,15 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|
|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|
|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|❌|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|Yes|❌|Yes|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|❌|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|Yes|Yes|Yes|Yes|
@ -51,7 +51,7 @@ ms.topic: include
|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|
|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|
|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|
|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|
|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|
|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|
|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
@ -70,11 +70,11 @@ ms.topic: include
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|
|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|❌|Yes|
|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|
|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|

16
includes/licensing/_licensing-requirements.md
View File

@ -28,15 +28,15 @@ ms.topic: include
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/threat-protection/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](/windows/security/information-protection/kernel-dma-protection-for-thunderbolt)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](../../windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Kernel Direct Memory Access (DMA) protection](../../windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md)**|Yes|Yes|Yes|Yes|Yes|
|**Local Security Authority (LSA) Protection**|Yes|Yes|Yes|Yes|Yes|
|**[Manage by Mobile Device Management (MDM) and group policy](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
|**[Manage by Mobile Device Management (MDM) and group policy](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Measured boot](/windows/compatibility/measured-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md)**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Edge standalone mode](../../windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)**|❌|❌|❌|❌|❌|
|**Microsoft Defender Application Guard (MDAG) public APIs**|❌|Yes|Yes|Yes|Yes|
|**[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint)**|❌|❌|Yes|❌|Yes|
@ -51,7 +51,7 @@ ms.topic: include
|**[Secure Boot and Trusted Boot](/windows/security/trusted-boot)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core configuration lock](/windows/client-management/config-lock)**|Yes|Yes|Yes|Yes|Yes|
|**[Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure-11)**|Yes|Yes|Yes|Yes|Yes|
|**[Security baselines](/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines)**|Yes|Yes|Yes|Yes|Yes|
|**[Security baselines](../../windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Server Message Block (SMB) file service](/windows-server/storage/file-server/file-server-smb-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Server Message Block Direct (SMB Direct)](/windows-server/storage/file-server/smb-direct)**|Yes|Yes|Yes|Yes|Yes|
|**[Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
@ -70,11 +70,11 @@ ms.topic: include
|**[Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)**|❌|Yes|Yes|Yes|Yes|
|**[Windows Defender Remote Credential Guard](/windows/security/identity-protection/remote-credential-guard)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Defender System Guard](../../windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Firewall](/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business](/windows/security/identity-protection/hello-for-business)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Hello for Business Enhanced Security Sign-in (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows LAPS](/windows-server/identity/laps/laps-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows presence sensing](https://support.microsoft.com/windows/wake-your-windows-11-pc-when-you-approach-82285c93-440c-4e15-9081-c9e38c1290bb)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Sandbox](../../windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md)**|Yes|Yes|Yes|Yes|Yes|
|**[Windows Security policy settings and auditing](/windows/security/threat-protection/security-policy-settings/security-policy-settings)**|Yes|Yes|Yes|Yes|Yes|

4
store-for-business/billing-understand-your-invoice-msfb.md
View File

@ -78,7 +78,7 @@ The **Billing Summary** shows the charges against the billing profile since the
| Credits |Credits you received from returns |
| Azure credits applied |Your Azure credits that are automatically applied to Azure charges each billing period |
| Subtotal |The pre-tax amount due |
| Tax |The type and amount of tax that you pay, depending on the country of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. |
| Tax |The type and amount of tax that you pay, depending on the country/region of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. |
| Estimated total savings |The estimated total amount you saved from effective discounts. If applicable, effective discount rates are listed beneath the purchase line items in Details by Invoice Section. |
### Understand your charges
@ -101,7 +101,7 @@ The total amount due for each service family is calculated by subtracting Azure
| Qty | Quantity purchased or consumed during the billing period |
| Charges/Credits | Net amount of charges after credits/refunds are applied |
| Azure Credit | The amount of Azure credits applied to the Charges/Credits|
| Tax rate | Tax rate(s) depending on country |
| Tax rate | Tax rate(s) depending on country/region |
| Tax amount | Amount of tax applied to purchase based on tax rate |
| Total | The total amount due for the purchase |

1
store-for-business/docfx.json
View File

@ -37,6 +37,7 @@
"tier2"
],
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.author": "trudyha",
"audience": "ITPro",
"ms.service": "store-for-business",

10
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,6 +2,16 @@
## Week of July 10, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 7/14/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
| 7/14/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified |
| 7/14/2023 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
## Week of June 26, 2023

2
store-for-business/payment-methods.md
View File

@ -29,7 +29,7 @@ You can purchase products and services from Microsoft Store for Business using y
- Japan Commercial Bureau (JCB)
> [!NOTE]
> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
> Not all cards available in all countries/regions. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
## Add a payment method

6
store-for-business/update-microsoft-store-for-business-account-settings.md
View File

@ -29,7 +29,7 @@ The **Billing account** page allows you to manage organization information, purc
## Organization information
We need your business address, email contact, and tax-exemption certificates that apply to your country or locale.
We need your business address, email contact, and tax-exemption certificates that apply to your country/region or locale.
### Business address and email contact
@ -46,7 +46,7 @@ We need an email address in case we need to contact you about your Microsoft Sto
4. Make your updates, and then select **Save**.
### Organization tax information
Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries/regions can provide their VAT number or local equivalent:
- Austria
- Belgium
- Bulgaria
@ -102,7 +102,7 @@ If you qualify for tax-exempt status in your market, start a service request to
You'll need this documentation:
|Country or locale | Documentation |
|Country/Region or locale | Documentation |
|------------------|----------------|
| United States | Sales Tax Exemption Certificate |
| Canada | Certificate of Exemption (or equivalent letter of authorization) |

607
windows/application-management/provisioned-apps-windows-client-os.md
View File

@ -1,607 +0,0 @@
---
title: Get the provisioned apps on Windows client operating system | Microsoft Docs
description: Use the Windows PowerShell Get-AppxProvisionedPackage command to get a list off the provisioned apps installed in Windows OS. See a list of some common provisioned apps installed a Windows Enterprise client computer or device, including Windows 10/11.
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 06/05/2023
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-apps
ms.localizationpriority: medium
ms.collection: tier1
ms.reviewer:
---
# Provisioned apps installed with the Windows client OS
**Applies to**:
- Windows 10
- Windows 11
Provisioned apps are included with the OS, and automatically installed when a user signs into a Windows device the first time. They're per-user apps, and typically installed in the `C:\Program Files\WindowsApps` folder. On your Windows devices, you can use Windows PowerShell to see the provisioned apps automatically installed.
This article lists some of the built-in provisioned apps on the different Windows client OS versions, and lists the Windows PowerShell command to get a list.
## Use Windows PowerShell
To get a list of all the provisioned apps, use Windows PowerShell:
1. Open the Windows PowerShell app as administrator.
2. Run the following script:
```Powershell
Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
```
The output lists all the provisioned apps, and their package names. For more information on this command, see [Get-AppxProvisionedPackage](/powershell/module/dism/get-appxprovisionedpackage) (opens another Microsoft website).
## Built-in provisioned apps list
The following information lists some of the provisioned apps on the different Windows Enterprise client OS versions. Your specific OS version and image may have different apps. To confirm your app list, run the [PowerShell Get-AppxProvisionedPackage command](#use-windows-powershell) (in this article).
Provisioned apps are also listed in **Settings** > **Apps and Features**.
- [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | Package name: Microsoft.3DBuilder
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Clipchamp](ms-windows-store://pdp/?ProductId=9P1J8S7CCWWT) | Package name: Clipchamp.Clipchamp
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ❌️|
---
- [Cortana](ms-windows-store://pdp/?PFN=Microsoft.549981C3f5f10_8wekyb3d8bbwe) | Package name: Microsoft.549981C3f5f10
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️️|
---
- [Microsoft News](ms-windows-store://pdp/?PFN=Microsoft.BingNews_8wekyb3d8bbwe) | Package name: Microsoft.BingNews
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Desktop App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | Package name: Microsoft.DesktopAppInstaller
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| Use Settings App | ✔️ | ✔️ | ✔️|
---
- [Xbox App](ms-windows-store://pdp/?PFN=Microsoft.GamingApp_8wekyb3d8bbwe) | Package name: Microsoft.GamingApp
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
|---| --- | --- | --- |
| ❌ | ✔️| ✔️| ✔️|
---
- [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | Package name: Microsoft.Getstarted
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️|
---
- [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEIFImageExtension
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️| ✔️| ✔️|
---
- [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) | Package name: Microsoft.HEVCVideoExtension
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️| ✔️| ✔️|
---
>[!NOTE]
>For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) from the Microsoft Store.
- [Microsoft Edge](ms-windows-store://pdp/?productid=XPFFTQ037JWMHS) | Package name:Microsoft.MicrosoftEdge.Stable
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Microsoft 365 (Office)](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftSolitaireCollection
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️️|
---
- [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftStickyNotes
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | Package name: Microsoft.MixedReality.Portal
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [MPEG2 Video Extension](ms-windows-store://pdp/?PFN=Microsoft.MPEG2VideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.MPEG2VideoExtension
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | Package name: Microsoft.Office.OneNote
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ❌ | ✔️ | ✔️️|
---
- [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | Package name: Microsoft.OneConnect
- Supported versions:
---
| Uninstall through UI? |22H2| 21H1 | 20H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- OneDrive Sync | Package name: Microsoft.OneDriveSync
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- Outlook Desktop Integration | Package name: Microsoft.OutlookDesktopIntegrationServices
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Paint](ms-windows-store://pdp/?PFN=Microsoft.paint_8wekyb3d8bbwe) | Package name: Microsoft.Paint
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [People](ms-windows-store://pdp/?PFN=Microsoft.people_8wekyb3d8bbwe) | Package name: Microsoft.People
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | Package name: Microsoft.Print3D
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ❌ | ✔️ | ✔️|
---
- [Raw Image Extension](ms-windows-store://pdp/?PFN=Microsoft.RawImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.RawImageExtension
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Snipping Tool](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- Store Purchase App | Package name: Microsoft.StorePurchaseApp
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Microsoft To Do](ms-windows-store://pdp/?PFN=Microsoft.ToDos_8wekyb3d8bbwe) | Package name: Microsoft.ToDos
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- UI.Xaml | Package name: Microsoft.UI.Xaml
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- VCLibs | Package name: Microsoft.VCLibs
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [VP9 Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.VP9VideoExtensions_8wekyb3d8bbwe) | Microsoft.VP9VideoExtensions
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | Package name: Microsoft.WebMediaExtensions
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.WebpImageExtension
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Whiteboard](ms-windows-store://pdp/?PFN=Microsoft.Whiteboard_8wekyb3d8bbwe) | Package name: Microsoft.Whiteboard
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️| ✔️|
---
- [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | Package name: Microsoft.WindowsAlarms
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCalculator
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCamera
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | Package name: microsoft.windowscommunicationsapps
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | Package name: Microsoft.WindowsFeedbackHub
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | Package name: Microsoft.WindowsMaps
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Windows Notepad](ms-windows-store://pdp/?PFN=Microsoft.WindowsNotepad_8wekyb3d8bbwe) | Package name: Microsoft.Notepad
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Windows Sound Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | Package name: Microsoft.WindowsStore
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGameOverlay
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGamingOverlay
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | Package name: Microsoft.XboxIdentityProvider
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- Xbox speech to text overlay | Package name: Microsoft.XboxSpeechToTextOverlay
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Phone Link](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Windows Media Player](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | Package name: Microsoft.ZuneVideo
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ✔️|
---
- [Quick Assist](ms-windows-store://pdp/?PFN=MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe) | Package name: MicrosoftCorporationII.QuickAssist
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ✔️ | ✔️ | ✔️ | ✔️|
---
- Windows Web Experience | Package name: MicrosoftWindows.Client.WebExperience
- Supported versions:
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️ | ❌|
---

366
windows/application-management/system-apps-windows-client-os.md
View File

@ -1,366 +0,0 @@
---
title: Get the system apps on Windows client operating system | Microsoft Docs
description: Use the Windows PowerShell Get-AppxPackage command to get a list off the system apps installed in Windows OS. See a list of some common system apps installed a Windows Enterprise client computer or device, including Windows 10/11.
author: nicholasswhite
ms.author: nwhite
manager: aaroncz
ms.date: 6/05/2023
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-apps
ms.localizationpriority: medium
ms.collection: tier1
ms.reviewer:
---
# System apps installed with the Windows client OS
**Applies to**:
- Windows 10
- Windows 11
On all Windows devices, the OS automatically installs some apps. These apps are called system apps, and are typically installed in the `C:\Windows\` folder. On your Windows devices, you can use Windows PowerShell to see the system apps automatically installed.
This article lists the built-in system apps on some Windows OS versions, and lists the Windows PowerShell command to get a list.
## Use Windows PowerShell
To get a list of all the system apps, use Windows PowerShell:
1. Open the Windows PowerShell app as administrator.
2. Run the following script:
```Powershell
Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
```
The output lists all the system apps, and their installation location. For more information on this command, see [Get-AppxPackage](/powershell/module/appx/get-appxpackage) (opens another Microsoft website).
## Built-in system apps list
The following information lists the system apps on some Windows Enterprise OS versions. Your specific OS version and image may have different apps. To confirm your app list, run the [PowerShell Get-AppxPackage command](#use-windows-powershell) (in this article).
- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Hello setup UI | Package name: Microsoft.BioEnrollment
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.CredDialogHost
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.ECApp
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.LockApp
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft Edge | Package name: Microsoft.MicrosoftEdge
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.MicrosoftEdgeDevToolsClient
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Win32WebViewHost
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.Apprep.ChxApp
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.CapturePicker
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.CloudExperienceHost
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ContentDeliveryManager
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Narrator QuckStart | Package name: Microsoft.Windows.NarratorQuickStart
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.OOBENetworkCaptivePort
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.OOBENetworkConnectionFlow
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ParentalControls
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.PinningConfirmationDialog
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.PrintQueueActionCenter
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.ShellExperienceHost
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Start | Microsoft.Windows.StartMenuExperienceHost
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.Windows.XGpuEjectDialog
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Microsoft.XboxGameCallableUI
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- MicrosoftWindows.Client.CBS
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- MicrosoftWindows.Client.Core
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- MicrosoftWindows.UndockedDevKit
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- NcsiUwpApp
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Windows.CBSPreview
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Settings | Package name: Windows.immersivecontrolpanel
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---
- Print UI | Package name: Windows.PrintDialog
---
| Uninstall through UI? | KB5026446 | 22H2 | 21H2 |
| --- | --- | --- | --- |
| | ✔️ | ✔️ | ✔️|
---

12
windows/application-management/toc.yml
View File

@ -2,15 +2,9 @@ items:
- name: Manage Windows applications
href: index.yml
- name: Application management
items:
- name: Apps in Windows client OS
items:
- name: Common app types
href: apps-in-windows-10.md
- name: Provisioned apps in Windows client OS
href: provisioned-apps-windows-client-os.md
- name: System apps in Windows client OS
href: system-apps-windows-client-os.md
items:
- name: Common app types
href: apps-in-windows-10.md
- name: Add features in Windows client
href: add-apps-and-features.md
- name: Sideload apps

103
windows/client-management/mdm/contribute-csp-reference.md Normal file
View File

@ -0,0 +1,103 @@
---
title: Contributing to CSP reference articles
description: Learn more about contributing to the CSP reference articles.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 07/18/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
ms.topic: reference
---
# Contributing to the CSP reference articles
CSP reference articles are automatically generated using the [device description framework (DDF)](configuration-service-provider-ddf.md) v2 files that define the CSP. When applicable, the CSP definition includes a mapping to a group policy. The automation uses this mapping, when possible, to provide a friendly description for the CSP policies.
> [!IMPORTANT]
> Each automated CSP article provides editable sections to provide additional information about the CSP, the policies within the CSP, and usage examples. Any edits outside the designated editable sections are overwritten by the automation.
## CSP article structure
Each automated CSP article is broken into three sections.
> [!NOTE]
> To view these sections, visit the article that you want to update, then select the **Pencil** icon.
> :::image type="content" source="images/csp-contribute-link.png" alt-text="Screenshot showing the Pencil icon to edit a published article":::
1. **Header**: The header includes the CSP name, and provides an editable section where additional information about the CSP can be provided.
:::image type="content" source="images/csp-header.png" alt-text="Screenshot of the CSP header section":::
1. **Policies**: The policies section contains a list of policies, where each policy has an editable section for providing additional information and examples.
:::image type="content" source="images/csp-policy.png" alt-text="Screenshot of the CSP policy section":::
1. **Footer**: The footer indicates the end of the CSP article, and provides an editable section where more information about the CSP can be provided.
:::image type="content" source="images/csp-footer.png" alt-text="Screenshot of the CSP footer section":::
## Provide feedback on documentation
CSP articles are automated using the DDF v2 and ADMX files, which are part of the Windows codebase. Intune settings catalog also uses the DDF v2 files to present the settings and help text. As such, the feedback for these articles is best addressed when submitted directly to the engineering team using [Feedback Hub app](#send-feedback-with-the-feedback-hub-app). CSP reference articles and the Intune settings catalog are updated periodically using the latest copy of DDF v2 files, and benefit from the feedback addressed by the engineering team.
Automated CSP articles also contain [editable content](#csp-article-structure), which is preserved by the automation. For any feedback about the editable content, use the [Microsoft Learn documentation contributor guide][CONTRIB-1].
:::image type="content" source="images/csp-feedback-flow.svg" alt-text="Diagram showing the feedback flow for CSP articles":::
Use these sections to determine where you should submit feedback.
### Feedback for policy description
Policy descriptions are sourced from DDF or ADMX files and are located within the `<[CSP-Name]-Description-Begin>` section for the policy in the markdown file. `<[CSP-Name]-Description-Begin>` also includes a reference to the source that was used to provide the policy description.
- `Description-Source-ADMX` or `Description-Source-ADMX-Forced`: The description was captured from the group policy that the CSP setting maps to. If this description is incorrect, [Send feedback with the Feedback Hub app](#send-feedback-with-the-feedback-hub-app).
- `Description-Source-DDF` or `Description-Source-DDF-Forced`: The description was captured from the DDF file that defines the CSP. If this description is incorrect, [Send feedback with the Feedback Hub app](#send-feedback-with-the-feedback-hub-app).
- `Description-Source-Manual-Forced`: The description is defined in the automation code. If this description is incorrect, [submit an issue](/contribute/#create-quality-issues).
Any additional information about the policy setting can be provided in the `[Policy-Name]-Editable-Begin` section that immediately follows the `<[CSP-Name]-Description-End>` section. This section allows further expansion of the policy description, and is generated manually. For any feedback for the editable content, use the [Microsoft Learn documentation contributor guide][CONTRIB-1] to update the section or submit an issue.
### Feedback for policy examples
Policy examples aren't provided by the automation. Each policy node in the markdown file includes a `[Policy-Name]-Examples-Begin` section that contains the examples. If the example is incorrect or needs to be updated, use the [Microsoft Learn documentation contributor guide][CONTRIB-1] to update the example or submit an issue.
### Feedback for policy applicability
Policy applicability is defined in the DDF v2 file for the CSP. Each policy node in the markdown file includes a `[Policy-Name]-Applicability-Begin` section that contains the operating system applicability.
If it's incorrect or needs to be updated, [Send feedback with the Feedback Hub app](#send-feedback-with-the-feedback-hub-app).
### Feedback for policy allowed values
Policy allowed values are defined in the DDF v2 file for the CSP. When applicable, each policy node in the markdown file includes a `[Policy-Name]-AllowedValues-Begin` section that contains a table that describes the allowed values for the policy.
If these values are incorrect or need to be updated, [Send feedback with the Feedback Hub app](#send-feedback-with-the-feedback-hub-app).
### Feedback for group policy mapping
Group policy mappings are defined in the DDF v2 file for the CSP. When applicable, each policy node in the markdown file includes a `[Policy-Name]-AdmxBacked-Begin` or `[Policy-Name]-GpMapping-Begin` section that contains the group policy mapping.
If this mapping is incorrect, [Send feedback with the Feedback Hub app](#send-feedback-with-the-feedback-hub-app).
### Other feedback
For any other feedback, use the [Microsoft Learn documentation contributor guide][CONTRIB-1].
## Send feedback with the Feedback Hub app
The Feedback Hub app lets you tell Microsoft about any problems you run into while using Windows. For more information about using Feedback Hub, see [Send feedback to Microsoft with the Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332). When you submit feedback for CSP documentation with the Feedback Hub app, use these steps:
1. **Enter your feedback**: Prefix your feedback summary with `[CSP Documentation]` in the **Summarize your feedback** section. Add details about the feedback, including the link to the CSP article.
1. **Choose a category**: Select **Security and Privacy > Work or School Account** as the category.
1. **Find similar feedback**: Select an existing feedback that matches your feedback, if applicable.
1. **Add more details**: Select **Other** as the subcategory.
1. Select **Submit**.
## Related articles
- [Contributor guide overview][CONTRIB-1]
<!-- Links -->
[CONTRIB-1]: /contribute

2
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country/region to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.

BIN
windows/client-management/mdm/images/csp-contribute-link.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

1
windows/client-management/mdm/images/csp-feedback-flow.svg Normal file
View File

File diff suppressed because one or more lines are too long
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
windows/client-management/mdm/images/csp-footer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/client-management/mdm/images/csp-header.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/client-management/mdm/images/csp-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 62 KiB

4
windows/client-management/mdm/policy-csp-admx-windowsstore.md
View File

@ -227,6 +227,8 @@ Denies or allows access to the Store application.
<!-- RemoveWindowsStore_1-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
<!-- RemoveWindowsStore_1-Editable-End -->
<!-- RemoveWindowsStore_1-DFProperties-Begin -->
@ -286,6 +288,8 @@ Denies or allows access to the Store application.
<!-- RemoveWindowsStore_2-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> This policy is not supported on Windows Professional edition, and requires Windows Enterprise or Windows Education to function. For more information, see [Can't disable Microsoft Store in Windows Pro through Group Policy](/troubleshoot/windows-client/group-policy/cannot-disable-microsoft-store).
<!-- RemoveWindowsStore_2-Editable-End -->
<!-- RemoveWindowsStore_2-DFProperties-Begin -->

2
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -44,7 +44,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md).
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.

2
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -42,7 +42,7 @@ Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user,
<!-- ConfigureSystemGuardLaunch-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows).
<!-- ConfigureSystemGuardLaunch-Editable-End -->
<!-- ConfigureSystemGuardLaunch-DFProperties-Begin -->

8
windows/client-management/mdm/policy-csp-update.md
View File

@ -2426,7 +2426,9 @@ Number of days before feature updates are installed on devices automatically reg
<!-- ConfigureDeadlineForFeatureUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
>
> - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
> - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
<!-- ConfigureDeadlineForFeatureUpdates-Editable-End -->
<!-- ConfigureDeadlineForFeatureUpdates-DFProperties-Begin -->
@ -2483,7 +2485,9 @@ Number of days before quality updates are installed on devices automatically reg
<!-- ConfigureDeadlineForQualityUpdates-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
>
> - After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
> - When this policy is used, the download, installation, and reboot settings from [Update/AllowAutoUpdate](#allowautoupdate) are ignored.
<!-- ConfigureDeadlineForQualityUpdates-Editable-End -->
<!-- ConfigureDeadlineForQualityUpdates-DFProperties-Begin -->

2
windows/client-management/mdm/toc.yml
View File

@ -3,6 +3,8 @@ items:
href: index.yml
expanded: true
items:
- name: Contributing to CSP reference
href: contribute-csp-reference.md
- name: Device description framework (DDF) files
href: configuration-service-provider-ddf.md
- name: Support scenarios

3
windows/configuration/kiosk-single-app.md
View File

@ -12,8 +12,9 @@ ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
ms.date: 06/15/2023
ms.date: 07/12/2023
---
<!--8107263-->
# Set up a single-app kiosk on Windows 10/11

2
windows/configuration/wcd/wcd-browser.md
View File

@ -81,7 +81,7 @@ Use *Default* to specify a name that matches one of the search providers you ent
#### Specific region guidance
Some countries require specific, default search providers. The following table lists the applicable countries and information for configuring the necessary search provider.
Some countries/regions require specific, default search providers. The following table lists the applicable countries/regions and information for configuring the necessary search provider.
>[!NOTE]
>For Russia + Commonwealth of Independent States (CIS), the independent states consist of Russia, Ukraine, Georgia, The Republic of Azerbaijan, Republic Of Belarus, The Republic of Kazakhstan, The Kyrgyz Republic, The Republic of Moldova, The Republic of Tajikistan, The Republic of Armenia, Turkmenistan, The Republic of Uzbekistan, and Turkey.

15
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -12,7 +12,7 @@ metadata:
- highpri
- tier3
ms.topic: faq
ms.date: 06/28/2023
ms.date: 07/11/2023
title: Delivery Optimization Frequently Asked Questions
summary: |
**Applies to**
@ -35,7 +35,7 @@ sections:
- question: What are the requirements if I use a proxy?
answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting).
- question: What hostnames should I allow through my firewall to support Delivery Optimization?
answer: |
**For communication between clients and the Delivery Optimization cloud service**:
@ -57,6 +57,11 @@ sections:
For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed.
- question: My firewall requires IP addresses and can't process FQDNs. How do I configure it to download content with Delivery Optimization?
answer: |
Microsoft content, such as Windows updates, are hosted and delivered globally via Content Delivery Networks (CDNs) and [Microsoft Connected Cache](waas-microsoft-connected-cache.md) (MCC) servers, which are hosted within Internet Service Provider (ISP) networks.
The network of CDNs and MCCs allows Microsoft to reach the scale required to meet the demand of the Windows user base. Given this delivery infrastructure changes dynamically, providing an exhaustive list of IPs and keeping it up to date isn't feasible.
- question: Does Delivery Optimization use multicast?
answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP.
@ -100,7 +105,7 @@ sections:
- question: How are downloads initiated by Delivery Optimization?
answer: |
Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
Delivery Optimization only starts when an application or service that's integrated with Delivery Optimization starts a download. For example, the Microsoft Edge browser. For more information about Delivery Optimization callers, see [Types of download content supported by Delivery Optimization](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization).
- question: How does Delivery Optimization determine which content is available for peering?
answer: |
@ -120,9 +125,9 @@ sections:
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
> [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Microsoft Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
- question: Delivery Optimization is using device resources and I can't tell why?
answer: |

57
windows/deployment/update/includes/wufb-reports-script-error-codes.md
View File

@ -5,58 +5,45 @@ manager: aaroncz
ms.technology: itpro-updates
ms.prod: windows-client
ms.topic: include
ms.date: 08/18/2022
ms.date: 07/11/2023
ms.localizationpriority: medium
---
<!--This file is shared by updates/wufb-reports-configuration-script.md and the update/update-compliance-configuration-script.md articles. Headings are driven by article context. -->
|Error |Description |
|---------|---------|
| 1 | General unexpected error|
| 6 | Invalid CommercialID|
| 8 | Couldn't create registry key path to set up CommercialID|
| 9 | Couldn't write CommercialID at registry key path|
| 11 | Unexpected result when setting up CommercialID.|
| 12 | CheckVortexConnectivity failed, check Log output for more information.|
<!--This file is shared by updates/wufb-reports-configuration-script.md and the update/update-compliance-configuration-script.md articles. Headings are driven by article context. Updated with 8099827 -->
| Error | Description|
|---|---|
| 1 | Unexpected error |
| 12 | CheckVortexConnectivity failed, check the log output for more information. |
| 12 | Unexpected failure when running CheckVortexConnectivity.|
| 16 | Reboot is pending on device, restart device and restart script.|
| 16 | Reboot is pending on device. Restart the device then re rerun the script.|
| 17 | Unexpected exception in CheckRebootRequired.|
| 27 | Not system account. |
| 30 | Unable to disable Enterprise Auth Proxy. This registry value must be 0 for UTC to operate in an authenticated proxy environment.|
| 34 | Unexpected exception when attempting to check Proxy settings.|
| 35 | Unexpected exception when checking User Proxy.|
| 37 | Unexpected exception when collecting logs|
| 34 | Unexpected exception when attempting to check proxy settings.|
| 35 | Unexpected exception when checking user proxy.|
| 37 | Unexpected exception when collecting logs.|
| 40 | Unexpected exception when checking and setting telemetry.|
| 41 | Unable to impersonate logged-on user.|
| 42 | Unexpected exception when attempting to impersonate logged-on user.|
| 43 | Unexpected exception when attempting to impersonate logged-on user.|
| 44 | Error when running CheckDiagTrack service.|
| 45 | DiagTrack.dll not found.|
| 48 | CommercialID isn't a GUID|
| 50 | DiagTrack service not running.|
| 51 | Unexpected exception when attempting to run Census.exe|
| 52 | Couldn't find Census.exe|
| 53 | There are conflicting CommercialID values.|
| 51 | Unexpected exception when attempting to run Census.exe. |
| 52 | Couldn't find Census.exe. |
| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
| 55 | Failed to create new registry path for SetDeviceNameOptIn|
| 56 | Failed to create property for SetDeviceNameOptIn at registry path|
| 57 | Failed to update value for SetDeviceNameOptIn|
| 58 | Unexpected exception in SetrDeviceNameOptIn|
| 55 | Failed to create new registry path for SetDeviceNameOptIn.|
| 56 | Failed to create property for SetDeviceNameOptIn at registry path.|
| 57 | Failed to update value for SetDeviceNameOptIn. |
| 58 | Unexpected exception in SetDeviceNameOptIn.|
| 59 | Failed to delete LastPersistedEventTimeOrFirstBoot property at registry path when attempting to clean up OneSettings.|
| 60 | Failed to delete registry key when attempting to clean up OneSettings.|
| 61 | Unexpected exception when attempting to clean up OneSettings.|
| 62 | AllowTelemetry registry key isn't of the correct type REG_DWORD|
| 62 | AllowTelemetry registry key isn't the correct type of REG_DWORD.|
| 63 | AllowTelemetry isn't set to the appropriate value and it couldn't be set by the script.|
| 64 | AllowTelemetry isn't of the correct type REG_DWORD.|
| 64 | AllowTelemetry isn't the correct type of REG_DWORD.|
| 66 | Failed to verify UTC connectivity and recent uploads.|
| 67 | Unexpected failure when verifying UTC CSP.|
| 91 | Failed to create new registry path for EnableAllowUCProcessing|
| 92 | Failed to create property for EnableAllowUCProcessing at registry path|
| 93 | Failed to update value for EnableAllowUCProcessing|
| 94 | Unexpected exception in EnableAllowUCProcessing|
| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline |
| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path |
| 97 | Failed to update value for EnableAllowCommercialDataPipeline |
| 98 | Unexpected exception in EnableAllowCommercialDataPipeline |
| 99 | Device isn't Windows 10.|
| 100 | Device must be AADJ or hybrid AADJ to use Windows Update for Business reports or Update Compliance |
| 101 | Check AADJ failed with unexpected exception |
| 99 | Device isn't Windows 10 or Windows 11.|
| 100 | Device must be Azure AD joined or hybrid Azure AD joined to use Windows Update for Business reports.|
| 101 | Check Azure AD join failed with unexpected exception.|
| 102 | DisableOneSettingsDownloads policy shouldn't be enabled. Please disable this policy.|

BIN
windows/deployment/update/media/wufb-do-overview.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 149 KiB

After

Width:  |  Height:  |  Size: 408 KiB

22
windows/deployment/update/wufb-reports-configuration-script.md
View File

@ -7,7 +7,7 @@ author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ms.date: 02/10/2023
ms.date: 07/11/2023
ms.technology: itpro-updates
---
@ -25,23 +25,23 @@ You can download the script from the [Microsoft Download Center](https://www.mic
## How this script is organized
This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode.
- In **Pilot** mode (`runMode=Pilot`), the script will enter a verbose mode with enhanced diagnostics, and save the results in the path defined with `logpath` in `RunConfig.bat`. Pilot mode is best for a pilot run of the script or for troubleshooting configuration.
- In **Deployment** mode (`runMode=Deployment`), the script will run quietly.
This script's two primary files are `ConfigScript.ps1` and `RunConfig.bat`. You configure `RunConfig.bat` according to the directions in the `.bat` itself, which will then run `ConfigScript.ps1` with the parameters entered to `RunConfig.bat`. There are two ways of using the script: in **Pilot** mode or **Deployment** mode.
> [!Important]
> [PsExec](/sysinternals/downloads/psexec) is used to run the script in the system context. Once the device is configured, remove PsExec.exe from the device.
## How to use this script
Open `RunConfig.bat` and configure the following (assuming a first-run, with `runMode=Pilot`):
Edit the `RunConfig.bat` file to configure the following variables, then run the edited .bat file:
1. Define `logPath` to where you want the logs to be saved. Ensure that `runMode=Pilot`.
1. Don't modify the [Commercial ID](update-compliance-get-started.md#get-your-commercialid) values since they're used for the earlier version of Windows Update for Business reports (Update Compliance). Leave `setCommercialID=false` and the `commercialIDValue=Unknown`.
1. Run the script.
1. Examine the logs for any issues. If there are no issues, then all devices with a similar configuration and network profile are ready for the script to be deployed with `runMode=Deployment`.
1. If there are issues, gather the logs and provide them to Microsoft Support.
| Variable | Allowed values and description | Example |
|---|---|---|
| runMode | **Pilot** (default): Verbose mode with additional diagnostics with additional logging. Pilot mode is best for a testing run of the script or for troubleshooting. <br> **Deployment**: Doesn't run any additional diagnostics or add extra logging | `runMode=Pilot` |
| logPath | Path where the logs will be saved. The default location of the logs is `.\UCLogs`. | `logPath=C:\temp\logs` |
| logMode | **0**: Log to the console only </br> **1** (default): Log to file and console. </br> **2**: Log to file only. | `logMode=2` |
| DeviceNameOptIn | **true** (default): Device name is sent to Microsoft. </br> **false**: Device name isn't sent to Microsoft. | `DeviceNameOptIn=true` |
| ClientProxy | **Direct** (default): No proxy is used. The connection to the endpoints is direct. </br> **System**: The system proxy, without authentication, is used. This type of proxy is typically configured with [netsh](/windows-server/networking/technologies/netsh/netsh-contexts) and can be verified using `netsh winhttp show proxy`. </br> **User**: The proxy is configured through IE and it might or might not require user authentication. </br> </br> For more information, see [How the Windows Update client determines which proxy server to use to connect to the Windows Update website](https://support.microsoft.com/en-us/topic/how-the-windows-update-client-determines-which-proxy-server-to-use-to-connect-to-the-windows-update-website-08612ae5-3722-886c-f1e1-d012516c22a1) | `ClientProxy=Direct` |
| source | Used by the .bat file and PowerShell script to locate dependencies. It's recommended that you don't change this value. | `source=%~dp0` |
## Script errors

6
windows/deployment/update/wufb-reports-enable.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 04/26/2023
ms.date: 07/11/2023
ms.technology: itpro-updates
---
@ -52,9 +52,7 @@ Windows Update for Business reports uses an [Azure Log Analytics workspaces](/az
## <a name="bkmk_enroll"></a> Enroll into Windows Update for Business reports
Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Completing the Windows Update for Business reports configuration removes needing to specify [`CommercialID`](update-compliance-get-started.md#get-your-commercialid), which was needed by Update Compliance, the predecessor of Windows Update for Business reports.
Use one of the following methods to enroll into Windows Update for Business reports:
Enroll into Windows Update for Business reports by configuring its settings through either the Azure Workbook or from the Microsoft 365 admin center. Use one of the following methods to enroll into Windows Update for Business reports:
##### <a name="bkmk_enroll-workbook"></a> Enroll through the Azure Workbook (recommended method)

4
windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
View File

@ -16,10 +16,14 @@ ms.technology: itpro-fundamentals
**Applies to:**
- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2008 R2

7
windows/deployment/windows-10-enterprise-e3-overview.md
View File

@ -54,9 +54,6 @@ In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offerin
## Compare Windows 10 Pro and Enterprise editions
> [!NOTE]
> The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available.
Windows 10 Enterprise edition has many features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
### Table 1. Windows 10 Enterprise features not found in Windows 10 Pro
@ -64,7 +61,7 @@ Windows 10 Enterprise edition has many features that are unavailable in Windows
|Feature|Description|
|--- |--- |
|Credential Guard|Credential Guard uses virtualization-based security to help protect security secrets so that only privileged system software can access them. Examples of security secrets that can be protected include NTLM password hashes and Kerberos Ticket Granting Tickets. This protection helps prevent Pass-the-Hash or Pass-the-Ticket attacks.<br><br>Credential Guard has the following features:<li>**Hardware-level security** - Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.<li>**Virtualization-based security** - Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.<li>**Improved protection against persistent threats** - Credential Guard works with other technologies (for example, Device Guard) to help provide further protection against attacks, no matter how persistent.<li>**Improved manageability** - Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.<br><br>For more information, see [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard).<br><br>*Credential Guard requires UEFI 2.3.1 or greater with Trusted Boot; Virtualization Extensions such as Intel VT-x, AMD-V, and SLAT must be enabled; x64 version of Windows; IOMMU, such as Intel VT-d, AMD-Vi; BIOS Lockdown; TPM 2.0 recommended for device health attestation (will use software if TPM 2.0 not present)*|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|Device Guard|This feature is a combination of hardware and software security features that allows only trusted applications to run on a device. Even if an attacker manages to get control of the Windows kernel, they'll be much less likely to run executable code. Device Guard can use virtualization-based security (VBS) in Windows 10 Enterprise edition to isolate the Code Integrity service from the Windows kernel itself. With VBS, even if malware gains access to the kernel, the effects can be severely limited, because the hypervisor can prevent the malware from executing code.<br><br>Device Guard protects in the following ways:<li>Helps protect against malware<li>Helps protect the Windows system core from vulnerability and zero-day exploits<li>Allows only trusted apps to run<br><br>For more information, see [Introduction to Device Guard](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).|
|AppLocker management|This feature helps IT pros determine which applications and files users can run on a device. The applications and files that can be managed include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.<br><br>For more information, see [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview).|
|Application Virtualization (App-V)|This feature makes applications available to end users without installing the applications directly on users' devices. App-V transforms applications into centrally managed services that are never installed and don't conflict with other applications. This feature also helps ensure that applications are kept current with the latest security updates.<br><br>For more information, see [Getting Started with App-V for Windows 10](/windows/application-management/app-v/appv-getting-started).|
|User Experience Virtualization (UE-V)|With this feature, you can capture user-customized Windows and application settings and store them on a centrally managed network file share.<br><br>When users log on, their personalized settings are applied to their work session, regardless of which device or virtual desktop infrastructure (VDI) sessions they log on to.<br><br>UE-V provides the following features:<li>Specify which application and Windows settings synchronize across user devices<li>Deliver the settings anytime and anywhere users work throughout the enterprise<li>Create custom templates for your third-party or line-of-business applications<li>Recover settings after hardware replacement or upgrade, or after re-imaging a virtual machine to its initial state<br><br>For more information, see [User Experience Virtualization (UE-V) for Windows 10 overview](/windows/configuration/ue-v/uev-for-windows).|
@ -123,7 +120,7 @@ Now that the devices have Windows 10/11 Enterprise, you can implement Device Gua
For more information about implementing Device Guard, see:
- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
- [Windows Defender Application Control and virtualization-based protection of code integrity](/windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control)
- [Device Guard deployment guide](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
### AppLocker management

4
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: windows-client
ms.topic: faq
ms.date: 05/04/2023
ms.date: 07/19/2023
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@ -31,7 +31,7 @@ sections:
Autopatch isn't available for 'A' or 'F' series licensing.
- question: Will Windows Autopatch support local domain join Windows 10?
answer: |
Windows Autopatch doesn't support local (on-premise) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
Windows Autopatch doesn't support local (on-premises) domain join. Windows Autopatch supports [Hybrid AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or pure [Azure AD join](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
- question: Will Windows Autopatch be available for state and local government customers?
answer: |
Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers. Although Windows 365 Enterprise is in the Azure Commercial cloud, when Windows 365 Enterprise is used with a GCC customer tenant, Autopatch is not suppported.

26
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -1,7 +1,7 @@
---
title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles.
ms.date: 07/11/2022
ms.date: 07/11/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -23,14 +23,14 @@ Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps
Rather than maintaining complex digital infrastructure, businesses want to focus on what makes them unique and successful. Windows Autopatch offers a solution to some of the challenges facing businesses and their people today:
- **Close the security gap**: By keeping software current, there are fewer vulnerabilities and threats to your devices.
- **Close the productivity gap**: By adopting features as they're made available, users get the latest tools to enhance creation and collaboration.
- **Optimize your IT admin resources**: By automating routine endpoint updates, IT pros have more time to create value.
- **Close the security gap**: Windows Autopatch keeps software current, there are fewer vulnerabilities and threats to your devices.
- **Close the productivity gap**: Windows Autopatch adopts features as they're made available. End users get the latest tools to amplify their collaboration and work.
- **Optimize your IT admin resources**: Windows Autopatch automates routine endpoint updates. IT pros have more time to create value.
- **On-premises infrastructure**: Transitioning to the world of software as a service (SaaS) allows you to minimize your investment in on-premises hardware since updates are delivered from the cloud.
- **Onboard new services**: Windows Autopatch is scoped to make it easy to enroll and minimizes the time investment from your IT Admins to get started.
- **Minimize end user disruption**: By releasing in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
- **Onboard new services**: Windows Autopatch makes it easy to enroll and minimizes the time required from your IT Admins to get started.
- **Minimize end user disruption**: Windows Autopatch releases updates in sequential deployment rings, and responding to reliability and compatibility signals, user disruptions due to updates are minimized.
Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. By crafting careful rollout sequences and communicating with you throughout the release, your IT Admins can focus on other activities and tasks.
Windows Autopatch helps you minimize the involvement of your scarce IT resources in the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge or Teams. Windows Autopatch uses careful rollout sequences and communicates with you throughout the release, allowing your IT Admins can focus on other activities and tasks.
## Update management
@ -44,11 +44,11 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
For each management area, there's a set of eligibility requirements that determine if the device will receive that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
For each management area, there's a set of eligibility requirements that determine if the device receives that specific update. An example of an eligibility criteria is that the device must have access to the required network endpoints for the Windows update. It's your responsibility to ensure that devices are meeting eligibility requirements for each management area.
To determine if we're meeting our service level objectives, all eligible devices are labeled as either "Healthy" or "Unhealthy". Healthy devices are meeting the eligibility requirements for that management area and unhealthy devices aren't. If Windows Autopatch falls below any service level objective for a management area, an incident is raised. Then, we bring the service back into compliance.
While an update is in progress, it's monitored by Windows Autopatch. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
Windows Autopatch monitors in-progress updates. Depending on the criticality of the update, the service may decide to expedite the update. If we detect an issue during release, we may pause or roll back the update. Since each management area has a different monitoring and update control capabilities, you review the documentation for each area to familiarize yourself with the service.
## Messages
@ -62,10 +62,10 @@ Microsoft remains committed to the security of your data and the [accessibility]
| Area | Description |
| ----- | ----- |
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li></ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-update-management.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../overview/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li><li>[Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md)</ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li><li>[Manage Windows Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-groups-update-management.md)</li><li>[Windows quality and feature update reports](../operate/windows-autopatch-groups-windows-quality-and-feature-update-reports-overview.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md)<li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li></ul> |
### Have feedback or would like to start a discussion?

2
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -66,7 +66,7 @@ The following groups target Windows Autopatch configurations to devices and mana
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-SetMDMtoWinOverGPO | Setsmobile device management (MDM)towinoverGPO<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>| [MDM Wins Over GP](/windows/client-management/mdm/policy-csp-controlpolicyconflict#controlpolicyconflict-MDMWinsOverGP) | <ul><li>MDM policy is used</li><li>GP policy is blocked</li></ul> |
| Windows Autopatch-DataCollection | Windows Autopatch and Telemetry settings processes diagnosticdatafromtheWindows device.<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Configure Telemetry Opt In Change Notification](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinchangenotification)</li><li>[Configure Telemetry Opt In Settings UX](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux)</li><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Enable telemetry change notifications</li><li>Enable Telemetry opt-in Settings</li><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
| Windows Autopatch-DataCollection | Windows Autopatch and Telemetry settings processes diagnosticdatafromtheWindows device.<p>Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ul>|<ol><li>[Allow Telemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)</li><li>[Limit Enhanced Diagnostic Data Windows Analytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)</li><li>[Limit Dump Collection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)</li><li>[Limit Diagnostic Log Collection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)</li></ol>|<ol><li>Full</li><li>Enabled</li><li>Enabled</li><li>Enabled</li></ol> |
## Deployment rings for Windows 10 and later

11
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 06/26/2023
ms.date: 07/10/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -21,6 +21,14 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## July 2023
### July service releases
| Message center post number | Description |
| ----- | ----- |
| [MC628172](https://admin.microsoft.com/adminportal/home#/MessageCenter) | General Availability: New Features in Windows Autopatch |
## June 2023
### June feature releases or updates
@ -36,6 +44,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Message center post number | Description |
| ----- | ----- |
| [MC617077](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Windows Autopatch Public Preview: Drivers and Firmware Management |
| [MC604889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Expanding Windows Autopatch availability in August 2023 |
| [MC602590](https://admin.microsoft.com/adminportal/home#/MessageCenter) | June 2023 Windows Autopatch baseline configuration update |
| [MC591864](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Updated ticket categories to reduce how long it takes to resolve support requests |

4
windows/privacy/required-windows-11-diagnostic-events-and-fields.md
View File

@ -1983,7 +1983,7 @@ The following fields are available:
### Microsoft.Windows.Security.CodeIntegrity.State.Current
This event indicates the overall CodeIntegrity Policy state and count of policies, fired on reboot and when policy changes rebootlessly. The data collected with this event is used to help keep Windows secure.
This event indicates the overall CodeIntegrity Policy state and count of policies, which occur when the device restarts and when policy changes without a restart. The data collected with this event is used to help keep Windows secure.
The following fields are available:
@ -2006,7 +2006,7 @@ The following fields are available:
### Microsoft.Windows.Security.CodeIntegrity.State.PolicyDetails
This individual policy state event fires once per policy on reboot and whenever any policy change occurs rebootlessly. The data collected with this event is used to help keep Windows secure.
This individual policy state event occurs once per policy when the device restarts and whenever any policy change occurs without a restart. The data collected with this event is used to help keep Windows secure.
The following fields are available:

10
windows/privacy/windows-10-and-privacy-compliance.md
View File

@ -84,10 +84,10 @@ The following table provides an overview of the privacy settings discussed earli
| [Find my device](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#find-my-device) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Find My Device** > **Turn On/Off Find My Device**<br /><br />MDM: [Experience/AllFindMyDevice](/windows/client-management/mdm/policy-csp-experience#experience-allowfindmydevice) | Off | Off |
| [Diagnostic Data](configure-windows-diagnostic-data-in-your-organization.md) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Data Collection and Preview Builds** > **Allow Telemetry** (or **Allow diagnostic data** in Windows 11 or Windows Server 2022)<br /><br />MDM: [System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)<br /><br />**Note**: If you are planning to configure devices, using the Windows diagnostic data processor configuration option, the state to minimize data collection is not recommended. For more information, see [Enabling the Windows diagnostic data processor configuration](#237-diagnostic-data-enabling-the-windows-diagnostic-data-processor-configuration). | Required diagnostic data (Windows 10, version 1903 and later and Windows 11)<br /><br />Server editions:<br />Enhanced diagnostic data | Security (Off) and block endpoints |
| [Inking and typing diagnostics](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-ink) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Text Input** > **Improve inking and typing recognition**<br /><br />MDM: [TextInput/AllowLinguisticDataCollection](/windows/client-management/mdm/policy-csp-textinput#textinput-allowlinguisticdatacollection) | Off (Windows 10, version 1809 and later and Windows 11) | Off |
| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
| Tailored Experiences | Group Policy:<br />**User Configuration** > **Windows Components** > **Cloud Content** > **Do not use diagnostic data for tailored experiences**<br /><br />MDM: [Experience/AllowTailoredExperiencesWithDiagnosticData](/windows/client-management/mdm/policy-csp-experience#experience-allowtailoredexperienceswithdiagnosticdata) | Off | Off |
| Advertising ID | Group Policy:<br />**Computer Configuration** > **System** > **User Profile** > **Turn off the advertising Id**<br /><br />MDM: [Privacy/DisableAdvertisingId](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Off | Off |
| Activity History/Timeline Cloud Sync | Group Policy:<br />**Computer Configuration** > **System** > **OS Policies** > **Allow upload of User Activities**<br /><br />MDM: [Privacy/EnableActivityFeed](/windows/client-management/mdm/policy-csp-privacy#privacy-enableactivityfeed) | Off | Off |
| [Cortana](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#2-cortana-and-search) | Group Policy:<br />**Computer Configuration** > **Windows Components** > **Search** > **Allow Cortana**<br /><br />MDM: [Experience/AllowCortana](/windows/client-management/mdm/policy-csp-experience#experience-allowcortana) | Off | Off |
### 2.3 Guidance for configuration options
@ -249,7 +249,7 @@ An administrator can configure privacy-related settings, such as choosing to onl
* [Microsoft Trust Center: Privacy at Microsoft](https://www.microsoft.com/trust-center/privacy)
* [Windows IT Pro Docs](/windows/#pivot=it-pro)
* [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement)
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
* [Privacy at Microsoft](https://privacy.microsoft.com/privacy-report)
* [Changes to Windows diagnostic data](changes-to-windows-diagnostic-data-collection.md)
* [Microsoft Service Trust Portal](https://servicetrust.microsoft.com/)

2
windows/privacy/windows-11-endpoints-non-enterprise-editions.md
View File

@ -188,7 +188,7 @@ The following methodology was used to derive the network endpoints:
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Viva Engage conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|

2
windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
View File

@ -204,7 +204,7 @@ The following methodology was used to derive the network endpoints:
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Viva Engage conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|

2
windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
View File

@ -200,7 +200,7 @@ The following methodology was used to derive the network endpoints:
|Apps|The following endpoints are used for the Weather app.|TLSv1.2/HTTPS/HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser.|TLSv1.2/HTTPS/HTTP|evoke-windowsservices-tas.msedge.net|
||The following endpoint is used for OneNote Live Tile.|HTTPS/HTTP|cdn.onenote.net|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Yammer conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Bing Search|The following endpoint is used by Microsoft Search in Bing enabling users to search across files, SharePoint sites, OneDrive content, Teams and Viva Engage conversations, and other shared data sources in an organization, as well as the web.|HTTPS|business.bing.com|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available.|TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com/*|
|Cortana and Live Tiles|The following endpoints are related to Cortana and Live Tiles|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS/HTTP|fp.msedge.net|

10
windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md → windows/security/application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
View File

@ -5,7 +5,7 @@ ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
@ -21,12 +21,12 @@ ms.topic: article
- Windows 11
- Windows Server 2016 and higher
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md).
Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
> [!NOTE]
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices.
Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
@ -44,6 +44,6 @@ WDAC has no specific hardware or software requirements.
## Related articles
- [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md)
- [Memory integrity](enable-virtualization-based-protection-of-code-integrity.md)
- [Windows Defender Application Control](../../threat-protection/windows-defender-application-control/windows-defender-application-control.md)
- [Memory integrity](../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md)
- [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865)

4
windows/security/application-security/application-control/toc.yml
View File

@ -8,8 +8,8 @@ items:
- name: UAC settings and configuration
href: user-account-control/settings-and-configuration.md
- name: Windows Defender Application Control and virtualization-based protection of code integrity
href: ../../threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
href: introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Defender Application Control
href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
- name: Smart App Control
href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md
href: ../../threat-protection/windows-defender-application-control/windows-defender-application-control.md

3
windows/security/application-security/application-control/user-account-control/how-it-works.md
View File

@ -93,6 +93,9 @@ The elevation process is further secured by directing the prompt to the *secure
When an executable file requests elevation, the *interactive desktop*, also called the *user desktop*, is switched to the secure desktop. The secure desktop dims the user desktop and displays an elevation prompt that must be responded to before continuing. When the user selects **Yes** or **No**, the desktop switches back to the user desktop.
> [!NOTE]
> Starting in **Windows Server 2019**, it's not possible to paste the content of the clipboard on the secure desktop. This is the same behavior of the currently supported Windows client OS versions.
Malware can present an imitation of the secure desktop, but when the **User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode** policy setting is set to **Prompt for consent**, the malware doesn't gain elevation if the user selects **Yes** on the imitation. If the policy setting is set to **Prompt for credentials**, malware imitating the credential prompt may be able to gather the credentials from the user. However, the malware doesn't gain elevated privilege and the system has other protections that mitigate malware from taking control of the user interface even with a harvested password.
While malware could present an imitation of the secure desktop, this issue can't occur unless a user previously installed the malware on the PC. Because processes requiring an administrator access token can't silently install when UAC is enabled, the user must explicitly provide consent by selecting **Yes** or by providing administrator credentials. The specific behavior of the UAC elevation prompt is dependent upon security policies.

0
windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml → windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml
View File

24
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md → windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -1,35 +1,20 @@
---
title: Configure the Group Policy settings for Microsoft Defender Application Guard
title: Configure the Group Policy settings for Microsoft Defender Application Guard
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.prod: windows-client
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 08/22/2022
ms.reviewer:
manager: aaroncz
ms.custom: sasr
ms.technology: itpro-security
ms.date: 07/11/2023
ms.topic: how-to
---
# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
- Windows 10
- Windows 11
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
Application Guard uses both network isolation and application-specific settings.
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview).
For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](md-app-guard-overview.md).
## Network isolation settings
@ -75,4 +60,3 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
[Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information).

118
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml → windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -2,25 +2,15 @@
metadata:
title: FAQ - Microsoft Defender Application Guard (Windows 10)
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-security
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.topic: faq
ms.date: 12/31/2017
ms.date: 07/11/2023
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
sections:
@ -30,34 +20,34 @@ sections:
Can I enable Application Guard on machines equipped with 4-GB RAM?
answer: |
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
- question: |
My network configuration uses a proxy and Im running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
answer: |
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.”
- It must be an FQDN. A simple IP address won't work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
answer: |
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune.
- question: |
Which Input Method Editors (IME) in 19H1 aren't supported?
answer: |
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
- Vietnam Telex keyboard
- Vietnam number key-based keyboard
- Hindi phonetic keyboard
@ -70,7 +60,7 @@ sections:
- Gujarati phonetic keyboard
- Odia phonetic keyboard
- Punjabi phonetic keyboard
- question: |
I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
answer: |
@ -80,19 +70,19 @@ sections:
What is the WDAGUtilityAccount local account?
answer: |
WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
- question: |
How do I trust a subdomain in my site list?
answer: |
To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted.
- question: |
Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
answer: |
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
- question: |
Is there a size limit to the domain lists that I need to configure?
answer: |
@ -107,15 +97,15 @@ sections:
Why do the Network Isolation policies in Group Policy and CSP look different?
answer: |
There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
- For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why did Application Guard stop working after I turned off hyperthreading?
answer: |
@ -130,70 +120,70 @@ sections:
Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
answer: |
This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
- [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
### First rule (DHCP Server)
- Program path: `%SystemRoot%\System32\svchost.exe`
- Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
- Protocol UDP
- Port 67
### Second rule (DHCP Client)
This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
1. Right-click on inbound rules, and then create a new rule.
2. Choose **custom rule**.
3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
4. Specify the following settings:
- Protocol Type: UDP
- Specific ports: 67
- Remote port: any
5. Specify any IP addresses.
6. Allow the connection.
7. Specify to use all profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, under the **Services** section, select **settings**.
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- question: |
How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
answer: |
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
2. Disable IpNat.sys from ICS load as follows: <br/>
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
3. Configure ICS (SharedAccess) to be enabled as follows: <br/>
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
4. (This step is optional) Disable IPNAT as follows: <br/>
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
5. Reboot the device.
- question: |
Why doesn't the container fully load when device control policies are enabled?
answer: |
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
Policy: Allow installation of devices that match any of the following device IDs:
- `SCSI\DiskMsft____Virtual_Disk____`
- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
- `VMS_VSF`
@ -206,7 +196,7 @@ sections:
- `root\storvsp`
- `vms_vsmp`
- `VMS_PP`
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
@ -218,25 +208,25 @@ sections:
1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
2. Reboot the device.
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
- question: |
Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
answer: |
Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
additionalContent: |
## See also
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)

0
windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 68 KiB

After

Width:  |  Height:  |  Size: 68 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 114 KiB

After

Width:  |  Height:  |  Size: 114 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 507 KiB

After

Width:  |  Height:  |  Size: 507 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 129 KiB

After

Width:  |  Height:  |  Size: 129 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 116 KiB

After

Width:  |  Height:  |  Size: 116 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-clipboard.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-clipboard.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 126 KiB

After

Width:  |  Height:  |  Size: 126 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-download.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-download.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 145 KiB

After

Width:  |  Height:  |  Size: 145 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 18 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 66 KiB

After

Width:  |  Height:  |  Size: 66 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-persistence.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-persistence.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 135 KiB

After

Width:  |  Height:  |  Size: 135 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-print.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-print.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 189 KiB

After

Width:  |  Height:  |  Size: 189 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-turn-on.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-turn-on.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 265 KiB

After

Width:  |  Height:  |  Size: 265 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-gp-vgpu.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-vgpu.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 183 KiB

After

Width:  |  Height:  |  Size: 183 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-hardware-isolation.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-hardware-isolation.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 32 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-new-window.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-new-window.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 229 KiB

After

Width:  |  Height:  |  Size: 229 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 431 KiB

After

Width:  |  Height:  |  Size: 431 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/appguard-visual-cues.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-visual-cues.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 897 KiB

After

Width:  |  Height:  |  Size: 897 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/application-guard-container-v-host.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/application-guard-container-v-host.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 54 KiB

After

Width:  |  Height:  |  Size: 54 KiB

0
windows/security/threat-protection/microsoft-defender-application-guard/images/turn-windows-features-on-off.png → windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/turn-windows-features-on-off.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 336 KiB

After

Width:  |  Height:  |  Size: 336 KiB

15
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md → windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -1,22 +1,11 @@
---
title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/30/2022
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ms.date: 07/11/2023
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.topic: how-to
---
# Prepare to install Microsoft Defender Application Guard

14
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-browser-extension.md → windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md
View File

@ -1,25 +1,13 @@
---
title: Microsoft Defender Application Guard Extension
description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/09/2021
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
ms.date: 07/11/2023
ms.topic: conceptual
---
# Microsoft Defender Application Guard Extension
**Applies to:**
- Windows 10
- Windows 11
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.

26
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md → windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -1,19 +1,9 @@
---
title: Microsoft Defender Application Guard
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
ms.prod: windows-client
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 05/01/2023
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
ms.collection:
ms.date: 07/11/2023
ms.collection:
- highpri
- tier2
ms.topic: conceptual
@ -21,11 +11,6 @@ ms.topic: conceptual
# Microsoft Defender Application Guard overview
**Applies to**
- Windows 10
- Windows 11
Microsoft Defender Application Guard (MDAG) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
@ -48,9 +33,9 @@ Application Guard has been created to target several types of devices:
- **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
## Related articles
@ -64,4 +49,3 @@ For more information about Microsoft Defender Application Guard (MDAG) for Edge
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|

13
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md → windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -1,24 +1,13 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: windows-client
ms.technology: itpro-security
ms.topic: overview
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 08/25/2022
ms.reviewer: sazankha
manager: aaroncz
ms.date: 07/11/2023
---
# System requirements for Microsoft Defender Application Guard
**Applies to**
- Windows 10 Education, Enterprise, and Professional
- Windows 11 Education, Enterprise, and Professional
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
> [!NOTE]

18
windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md → windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -1,25 +1,13 @@
---
title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer: sazankha
manager: aaroncz
ms.date: 09/23/2022
ms.custom: asr
ms.date: 07/11/2023
ms.topic: conceptual
---
# Application Guard testing scenarios
**Applies to:**
- Windows 10
- Windows 11
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
## Application Guard in standalone mode
@ -28,7 +16,7 @@ You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
1. [Install Application Guard](./install-md-app-guard.md).
1. [Install Application Guard](install-md-app-guard.md).
2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
@ -51,7 +39,7 @@ How to install, set up, turn on, and configure Application Guard for Enterprise-
Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](./install-md-app-guard.md#install-application-guard).
1. [Install Application Guard](install-md-app-guard.md#install-application-guard).
2. Restart the device, and then start Microsoft Edge.

8
windows/security/application-security/application-isolation/toc.yml
View File

@ -2,7 +2,7 @@ items:
- name: Microsoft Defender Application Guard (MDAG)
href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: MDAG for Edge standalone mode
href: ../../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
href: microsoft-defender-application-guard/md-app-guard-overview.md
- name: MDAG for Edge enterprise mode and enterprise management 🔗
href: /deployedge/microsoft-edge-security-windows-defender-application-guard
- name: MDAG for Microsoft Office
@ -12,9 +12,9 @@ items:
- name: Windows containers 🔗
href: /virtualization/windowscontainers/about
- name: Windows Sandbox
href: ./windows-sandbox/windows-sandbox-overview.md
href: windows-sandbox/windows-sandbox-overview.md
items:
- name: Windows Sandbox architecture
href: ./windows-sandbox/windows-sandbox-architecture.md
href: windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: ./windows-sandbox/windows-sandbox-configure-using-wsb-file.md
href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md

4
windows/security/application-security/index.md
View File

@ -20,5 +20,5 @@ The following table summarizes the Windows security features and capabilities fo
| Security Measures | Features & Capabilities |
|:---|:---|
| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](../threat-protection/windows-defender-application-control/windows-defender-application-control.md) |
| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) |
| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md). |
| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-isolation/windows-sandbox/windows-sandbox-overview.md) |

41
windows/security/docfx.json
View File

@ -73,8 +73,11 @@
},
"fileMetadata": {
"author":{
"application-security//**/*.md": "vinaypamnani-msft",
"application-security//**/*.yml": "vinaypamnani-msft",
"application-security/application-control/user-account-control/*.md": "paolomatarazzo",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft",
"hardware-security/**/*.md": "vinaypamnani-msft",
"hardware-security/**/*.yml": "vinaypamnani-msft",
"identity-protection/**/*.md": "paolomatarazzo",
"identity-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/**/*.md": "vinaypamnani-msft",
@ -87,9 +90,12 @@
"operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
},
"ms.author":{
"application-security//**/*.md": "vinpa",
"application-security//**/*.yml": "vinpa",
"application-security/application-control/user-account-control/*.md": "paoloma",
"application-security/application-control/user-account-control/*.yml": "paoloma",
"application-security/application-isolation/windows-sandbox/**/*.md": "vinpa",
"hardware-security//**/*.md": "vinpa",
"hardware-security//**/*.yml": "vinpa",
"identity-protection/**/*.md": "paoloma",
"identity-protection/**/*.yml": "paoloma",
"operating-system-security/**/*.md": "vinpa",
@ -109,7 +115,18 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"application-security/application-isolation/windows-sandbox/**/*.md": [
"application-security//**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
],
"application-security/application-control/user-account-control/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"hardware-security//**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
],
@ -131,13 +148,6 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"identity-protection/user-account-control/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"identity-protection/virtual-smart-cards/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
@ -169,6 +179,13 @@
"operating-system-security/data-protection/personal-data-encryption/*.yml": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
],
"operating-system-security/device-management/windows-security-configuration-framework/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
@ -178,12 +195,14 @@
]
},
"ms.reviewer": {
"application-security/application-isolation/microsoft-defender-application-guard/*.md": "sazankha",
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda"
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
"identity-protection/hello-for-business/*.md": "tier1",

24
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md → windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -1,30 +1,22 @@
---
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.author: vinpa
author: vinaypamnani-msft
manager: aaroncz
audience: ITPro
ms.collection:
ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.date: 03/16/2023
ms.reviewer:
ms.technology: itpro-security
appliesto:
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>"
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>"
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
---
# Enable virtualization-based protection of code integrity
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016 or higher
**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
@ -73,7 +65,7 @@ Enabling in Intune requires using the Code Integrity node in the [Virtualization
4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
![Enable memory integrity using Group Policy.](../images/enable-hvci-gp.png)
![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png)
5. Select **Ok** to close the editor.

54
windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md → windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
View File

@ -1,23 +1,16 @@
---
title: How a Windows Defender System Guard helps protect Windows 10
description: Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof. Learn how it works.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
search.appverid: met150
ms.prod: windows-client
title: How a Windows Defender System Guard helps protect Windows
description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works.
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 03/01/2019
ms.technology: itpro-security
ms.topic: conceptual
---
# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
# Windows Defender System Guard: How a hardware-based root of trust helps protect Windows
To protect critical resources such as the Windows authentication stack, single sign-on tokens, the Windows Hello biometric stack, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof and sets up the next set of investments in Windows security. It's designed to make these security guarantees:
- Protect and maintain the integrity of the system as it starts up
- Validate that system integrity has truly been maintained through local and remote attestation
@ -29,47 +22,46 @@ Windows Defender System Guard reorganizes the existing Windows 10 system integri
With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
Each option has a drawback:
- A list of known 'bad' SRTM measurements allows a hacker to change just 1 bit in a component to create an entirely new SRTM hash that needs to be listed. This means that the SRTM flow is inherently brittle - a minor change can invalidate the entire chain of trust.
- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
- A list of known 'good' SRTM measurements requires each new BIOS/PC combination measurement to be carefully added, which is slow.
Also, a bug fix for UEFI code can take a long time to design, build, retest, validate, and redeploy.
### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
![System Guard Secure Launch.](images/system-guard-secure-launch.png)
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly.
### System Management Mode (SMM) protection
System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
- Paging protection to prevent inappropriate access to code and data
- SMM hardware supervision and attestation
- Paging protection to prevent inappropriate access to code and data
- SMM hardware supervision and attestation
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned.
Paging protection can be implemented to lock certain code tables to be read-only to prevent tampering. This prevents access to any memory that hasn't been assigned.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
SMM protection is built on top of the Secure Launch technology and requires it to function.
In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
SMM protection is built on top of the Secure Launch technology and requires it to function.
In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
@ -81,7 +73,7 @@ As Windows 10 boots, a series of integrity measurements are taken by Windows Def
After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
[!INCLUDE [windows-defender-system-guard](../../../../includes/licensing/windows-defender-system-guard.md)]
[!INCLUDE [windows-defender-system-guard](../../../includes/licensing/windows-defender-system-guard.md)]
## System requirements for System Guard

0
windows/security/information-protection/images/device-details.png → windows/security/hardware-security/images/device-details.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 38 KiB

0
windows/security/threat-protection/images/enable-hvci-gp.png → windows/security/hardware-security/images/enable-hvci-gp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 37 KiB

After

Width:  |  Height:  |  Size: 37 KiB

0
windows/security/information-protection/images/kernel-dma-protection-security-center.png → windows/security/hardware-security/images/kernel-dma-protection-security-center.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 130 KiB

After

Width:  |  Height:  |  Size: 130 KiB

0
windows/security/information-protection/images/kernel-dma-protection.png → windows/security/hardware-security/images/kernel-dma-protection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-group-policy.png → windows/security/hardware-security/images/secure-launch-group-policy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 152 KiB

After

Width:  |  Height:  |  Size: 152 KiB

0
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-msinfo.png → windows/security/hardware-security/images/secure-launch-msinfo.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 240 KiB

After

Width:  |  Height:  |  Size: 240 KiB

0
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-registry.png → windows/security/hardware-security/images/secure-launch-registry.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
windows/security/threat-protection/windows-defender-system-guard/images/secure-launch-security-app.png → windows/security/hardware-security/images/secure-launch-security-app.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 47 KiB

After

Width:  |  Height:  |  Size: 47 KiB

0
windows/security/threat-protection/windows-defender-system-guard/images/system-guard-secure-launch.png → windows/security/hardware-security/images/system-guard-secure-launch.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 88 KiB

After

Width:  |  Height:  |  Size: 88 KiB

0
windows/security/threat-protection/device-guard/images/system-information-virtualization-based-security.png → windows/security/hardware-security/images/system-information-virtualization-based-security.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

0
windows/security/threat-protection/windows-defender-system-guard/images/windows-defender-system-guard-boot-time-integrity.png → windows/security/hardware-security/images/windows-defender-system-guard-boot-time-integrity.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

13
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md → windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
View File

@ -1,18 +1,11 @@
---
title: Kernel DMA Protection
description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.collection:
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 03/30/2023
ms.technology: itpro-security
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
---
# Kernel DMA Protection
@ -81,7 +74,7 @@ If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Vir
If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
## Frequently asked questions
@ -129,4 +122,4 @@ The policy can be enabled by using:
[LINK-2]: /windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies
[LINK-3]: /windows-hardware/design/device-experiences/oem-kernel-dma-protection
[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf
[EXT-1]: https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf

23
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md → windows/security/hardware-security/system-guard-secure-launch-and-smm-protection.md
View File

@ -1,29 +1,14 @@
---
title: System Guard Secure Launch and SMM protection
title: System Guard Secure Launch and SMM protection
description: Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows 10 devices.
search.appverid: met150
ms.prod: windows-client
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.date: 11/30/2021
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.technology: itpro-security
ms.topic: conceptual
---
# System Guard Secure Launch and SMM protection
**Applies to:**
- Windows 11
- Windows 10
This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
This topic explains how to configure [System Guard Secure Launch and System Management Mode (SMM) protection](how-hardware-based-root-of-trust-helps-protect-windows.md) to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
> [!NOTE]
> System Guard Secure Launch feature requires a supported processor. For more information, see [System requirements for System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md#system-requirements-for-system-guard).
@ -54,7 +39,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
![Windows Security app.](images/secure-launch-security-app.png)
### Registry
1. Open Registry editor.
@ -76,7 +61,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
![Verifying Secure Launch is running in the Windows Security app.](images/secure-launch-msinfo.png)
> [!NOTE]
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../application-security/application-control/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> [!NOTE]
> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).

10
windows/security/hardware-security/toc.yml
View File

@ -4,7 +4,7 @@ items:
- name: Hardware root of trust
items:
- name: Windows Defender System Guard
href: ../threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
href: how-hardware-based-root-of-trust-helps-protect-windows.md
- name: Trusted Platform Module
href: ../information-protection/tpm/trusted-platform-module-top-node.md
items:
@ -38,10 +38,10 @@ items:
href: ../information-protection/pluton/pluton-as-tpm.md
- name: Silicon assisted security
items:
- name: Virtualization-based security (VBS)
- name: Virtualization-based security (VBS) 🔗
href: /windows-hardware/design/device-experiences/oem-vbs
- name: Memory integrity (HVCI)
href: ../threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
href: enable-virtualization-based-protection-of-code-integrity.md
- name: Memory integrity and VBS enablement 🔗
href: /windows-hardware/design/device-experiences/oem-hvci-enablement
- name: Hardware-enforced stack protection
@ -49,6 +49,6 @@ items:
- name: Secured-core PC 🔗
href: /windows-hardware/design/device-experiences/oem-highly-secure-11
- name: Kernel Direct Memory Access (DMA) protection
href: ../information-protection/kernel-dma-protection-for-thunderbolt.md
href: kernel-dma-protection-for-thunderbolt.md
- name: System Guard Secure Launch
href: ../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
href: system-guard-secure-launch-and-smm-protection.md

9
windows/security/hardware.md
View File

@ -1,7 +1,7 @@
---
title: Windows hardware security
description: Get an overview of hardware security in Windows 11 and Windows 10
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
author: vinaypamnani-msft
@ -19,8 +19,7 @@ These new threats call for computing hardware that is secure down to the very co
| Security Measures | Features & Capabilities |
|:---|:---|
| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users. <br> A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM. <br><br/> Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). |
| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. <br> Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation. <br><br/> Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. <br> HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. <br><br/> Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. <br><br/> Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. <br> Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation. <br><br/> Learn more about [How a hardware-based root of trust helps protect Windows](hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](hardware-security/system-guard-secure-launch-and-smm-protection.md). |
| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. <br> HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. <br><br/> Learn more: [Enable virtualization-based protection of code integrity](hardware-security/enable-virtualization-based-protection-of-code-integrity.md).
| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. <br><br/> Learn more about [Kernel DMA Protection](hardware-security/kernel-dma-protection-for-thunderbolt.md). |
| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data. <br><br/> Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data. <br><br/> Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|

2
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -54,7 +54,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. When enabl
1. In the **Credential Guard Configuration** box, select **Enabled with UEFI lock**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md).
1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. For more information, see [System Guard Secure Launch and SMM protection](../../hardware-security/system-guard-secure-launch-and-smm-protection.md).
:::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting.":::

2
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -62,7 +62,7 @@ If you don't use Intune in your organization, then you can disable Windows Hello
Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account:
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id

2
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -163,7 +163,7 @@ You can configure Windows devices to use the **Microsoft PIN Reset Service** usi
- Value: **True**
>[!NOTE]
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
> You must replace `TenantId` with the identifier of your Azure Active Directory tenant. To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/how-to-find-tenant) or try the following, ensuring to sign-in with your organization's account::
```msgraph-interactive
GET https://graph.microsoft.com/v1.0/organization?$select=id

2
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision.md
View File

@ -202,7 +202,7 @@ For a list of frequently asked questions about Windows Hello for Business cloud
<!--Links-->
[AZ-2]: /azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
[AZ-3]: /azure/active-directory/fundamentals/active-directory-how-to-find-tenant
[AZ-3]: /azure/active-directory/fundamentals/how-to-find-tenant
[AZ-4]: /azure/active-directory/devices/troubleshoot-device-dsregcmd
[MEM-1]: /mem/intune/protect/identity-protection-windows-settings

Some files were not shown because too many files have changed in this diff Show More