From 15ba2a8464cdc4d9de07a5d6f1c3de8ca39191bf Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 10 Jul 2024 07:34:35 -0400 Subject: [PATCH 01/19] Windows 11 ui update --- .../configuration/start/includes/hide-lock.md | 2 +- .../configuration/start/policy-settings.md | 35 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) diff --git a/windows/configuration/start/includes/hide-lock.md b/windows/configuration/start/includes/hide-lock.md index e43dff0cfa..52a8be809e 100644 --- a/windows/configuration/start/includes/hide-lock.md +++ b/windows/configuration/start/includes/hide-lock.md @@ -9,5 +9,5 @@ ms.topic: include | | Path | |--|--| -| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideSignOut](/windows/client-management/mdm/policy-csp-start#hidelock) | +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/Start/`[HideLock](/windows/client-management/mdm/policy-csp-start#hidelock) | | **GPO** | Not available. | diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index 9dd5437ffc..4000e5d049 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -132,6 +132,16 @@ Select one of the tabs to see the list of available settings: #### [:::image type="icon" source="../images/icons/user.svg"::: **Account options**](#tab/user) +::: zone pivot="windows-11" +|Policy name| CSP | GPO | +|-|-|-| +|[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| +|[Hide **Sign out**](#hide-sign-out)|✅|✅| +|[Hide **Switch account**](#hide-switch-account)|✅|❌| +|[Hide user tile](#hide-user-tile)|✅|❌| +::: zone-end + +::: zone pivot="windows-10" |Policy name| CSP | GPO | |-|-|-| |[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| @@ -139,9 +149,14 @@ Select one of the tabs to see the list of available settings: |[Hide **Sign out**](#hide-sign-out)|✅|✅| |[Hide **Switch account**](#hide-switch-account)|✅|❌| |[Hide user tile](#hide-user-tile)|✅|❌| +::: zone-end [!INCLUDE [hide-change-account-settings](includes/hide-change-account-settings.md)] + +::: zone pivot="windows-10" [!INCLUDE [hide-lock](includes/hide-lock.md)] +::: zone-end + [!INCLUDE [hide-signout](includes/hide-signout.md)] [!INCLUDE [hide-switch-user](includes/hide-switch-account.md)] [!INCLUDE [hide-switch-user](includes/hide-user-tile.md)] @@ -174,6 +189,21 @@ Select one of the tabs to see the list of available settings: #### [:::image type="icon" source="../images/icons/power.svg"::: **Power options**](#tab/power) + +::: zone pivot="windows-11" +|Policy name| CSP | GPO | +|-|-|-| +|[Hide **Hibernate** ](#hide-hibernate)|✅|❌| +|[Hide **Lock**](#hide-lock)|✅|❌| +|[Hide **Power** button](#hide-power-button)|✅|❌| +|[Hide **Restart**](#hide-restart)|✅|❌| +|[Hide **Shut down**](#hide-shut-down)|✅|❌| +|[Hide **Sleep**](#hide-sleep)|✅|❌| +|[Remove and prevent access to the shut down restart sleep and hibernate commands](#remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands)|❌|✅| +::: zone-end + +::: zone pivot="windows-10" + |Policy name| CSP | GPO | |-|-|-| |[Hide **Hibernate** ](#hide-hibernate)|✅|❌| @@ -183,7 +213,12 @@ Select one of the tabs to see the list of available settings: |[Hide **Sleep**](#hide-sleep)|✅|❌| |[Remove and prevent access to the shut down restart sleep and hibernate commands](#remove-and-prevent-access-to-the-shut-down-restart-sleep-and-hibernate-commands)|❌|✅| +::: zone-end + [!INCLUDE [hide-hibernate](includes/hide-hibernate.md)] +::: zone pivot="windows-11" +[!INCLUDE [hide-lock](includes/hide-lock.md)] +::: zone-end [!INCLUDE [hide-power-button](includes/hide-power-button.md)] [!INCLUDE [hide-restart](includes/hide-restart.md)] [!INCLUDE [hide-shut-down](includes/hide-shut-down.md)] From 52ac86059f6d975c533da6f7c3723cb9e4fd3da6 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 10 Jul 2024 07:34:59 -0400 Subject: [PATCH 02/19] date update --- windows/configuration/start/policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index 4000e5d049..b9a8351ca5 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -2,7 +2,7 @@ title: Start policy settings description: Learn about the policy settings to configure the Windows Start menu. ms.topic: reference -ms.date: 04/10/2024 +ms.date: 07/10/2024 appliesto: zone_pivot_groups: windows-versions-11-10 --- From fb135f390739b2e68b904006018be7e6954f9e7d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Jul 2024 13:01:17 -0400 Subject: [PATCH 03/19] updates --- ...ide-entry-points-for-fast-user-switching.md | 18 ++++++++++++++++++ windows/configuration/start/policy-settings.md | 6 +++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md new file mode 100644 index 0000000000..32369ab006 --- /dev/null +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -0,0 +1,18 @@ +--- +author: paolomatarazzo +ms.author: paoloma +ms.date: 07/11/2024 +ms.topic: include +--- + +### Hide entry points for Fast User Switching + +With this policy setting you can hide the **Switch User** interface in the Logon UI, the Start menu and the Task Manager: + +- If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied +- If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations + +| | Path | +|--|--| +| **CSP** | `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) | +| **GPO** | **User Configuration** > **Administrative Templates** > **Logon** > **Hide entry points for Fast User Switching** | diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index b9a8351ca5..7a84522c4a 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -148,6 +148,7 @@ Select one of the tabs to see the list of available settings: |[Hide **Lock**](#hide-lock)|✅|❌| |[Hide **Sign out**](#hide-sign-out)|✅|✅| |[Hide **Switch account**](#hide-switch-account)|✅|❌| +|[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅| |[Hide user tile](#hide-user-tile)|✅|❌| ::: zone-end @@ -159,7 +160,10 @@ Select one of the tabs to see the list of available settings: [!INCLUDE [hide-signout](includes/hide-signout.md)] [!INCLUDE [hide-switch-user](includes/hide-switch-account.md)] -[!INCLUDE [hide-switch-user](includes/hide-user-tile.md)] +::: zone pivot="windows-10" +[!INCLUDE [hide-lock](includes/hide-entry-points-for-fast-user-switching.md)] +::: zone-end +[!INCLUDE [hide-user-tile](includes/hide-user-tile.md)] #### [:::image type="icon" source="../images/icons/folder.svg"::: **Pinned folders**](#tab/folders) From abd0adf750c465154092a350ac03994f606dbce4 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Jul 2024 13:09:31 -0400 Subject: [PATCH 04/19] chore: Update wording in hide-entry-points-for-fast-user-switching.md --- .../includes/hide-entry-points-for-fast-user-switching.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md index 32369ab006..720fd5d721 100644 --- a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -7,10 +7,10 @@ ms.topic: include ### Hide entry points for Fast User Switching -With this policy setting you can hide the **Switch User** interface in the Logon UI, the Start menu and the Task Manager: +With this policy setting you can hide the **Switch User** interface from the sign in screen, the Start menu, and the Task Manager: -- If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied -- If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations +- If enabled, the **Switch User** option is hidden +- If disabled or not configured, the **Switch User** option is available to the user in the three locations | | Path | |--|--| From 91ae797ae8c766f1ab0e3f51f28a8dc992147f9e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Jul 2024 13:45:28 -0400 Subject: [PATCH 05/19] chore: Update wording in hide-entry-points-for-fast-user-switching.md --- .../includes/hide-entry-points-for-fast-user-switching.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md index 720fd5d721..807451ecc4 100644 --- a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -10,9 +10,11 @@ ms.topic: include With this policy setting you can hide the **Switch User** interface from the sign in screen, the Start menu, and the Task Manager: - If enabled, the **Switch User** option is hidden -- If disabled or not configured, the **Switch User** option is available to the user in the three locations +- If disabled or not configured, the **Switch User** option is available to the user in the sign in screen, the Start menu, and the Task Manager | | Path | |--|--| | **CSP** | `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) | | **GPO** | **User Configuration** > **Administrative Templates** > **Logon** > **Hide entry points for Fast User Switching** | + +To learn more, see [Fast User Switching](/windows/win32/shell/fast-user-switching). From 730760c67cc48be893f6bfa7e1e2ca89b3ced41e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 11 Jul 2024 17:21:55 -0400 Subject: [PATCH 06/19] update --- .../includes/hide-entry-points-for-fast-user-switching.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md index 807451ecc4..412516a39f 100644 --- a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -7,10 +7,10 @@ ms.topic: include ### Hide entry points for Fast User Switching -With this policy setting you can hide the **Switch User** interface from the sign in screen, the Start menu, and the Task Manager: +With this policy setting you can hide the list of user accounts from the sign in screen, the Start menu, and the Task Manager: -- If enabled, the **Switch User** option is hidden -- If disabled or not configured, the **Switch User** option is available to the user in the sign in screen, the Start menu, and the Task Manager +- If enabled, the list of signed in users is hidden +- If disabled or not configured, the list of currently signed in users is available in the sign in screen, the Start menu, and the Task Manager | | Path | |--|--| From 3103b7c5beca03e347afd82b52cde2a1b9142e1f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 12 Jul 2024 10:50:44 -0400 Subject: [PATCH 07/19] chore: Update wording in hide-entry-points-for-fast-user-switching.md --- .../includes/hide-entry-points-for-fast-user-switching.md | 8 ++++---- .../{hide-switch-account.md => hide-switch-user.md} | 7 ++++++- windows/configuration/start/policy-settings.md | 6 +++--- 3 files changed, 13 insertions(+), 8 deletions(-) rename windows/configuration/start/includes/{hide-switch-account.md => hide-switch-user.md} (53%) diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md index 412516a39f..7510bc272f 100644 --- a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -7,14 +7,14 @@ ms.topic: include ### Hide entry points for Fast User Switching -With this policy setting you can hide the list of user accounts from the sign in screen, the Start menu, and the Task Manager: +With this policy setting you can prevent multiple users to sign in at the same time, using the Fast User Switching feature. -- If enabled, the list of signed in users is hidden -- If disabled or not configured, the list of currently signed in users is available in the sign in screen, the Start menu, and the Task Manager +- If enabled, only one user can sign in at a time. The list of local users and currently signed in users is hidden from the sign in screen, the Start menu, and the Task Manager. If multiple users want to sign in, the current user must sign out first +- If disabled or not configured, multiple users can sign in at the same time. The list of local users and currently signed in users is available in the sign in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in | | Path | |--|--| | **CSP** | `./Device/Vendor/MSFT/Policy/Config/WindowsLogon/`[HideFastUserSwitching](/windows/client-management/mdm/policy-csp-windowslogon#hidefastuserswitching) | -| **GPO** | **User Configuration** > **Administrative Templates** > **Logon** > **Hide entry points for Fast User Switching** | +| **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **Logon** > **Hide entry points for Fast User Switching** | To learn more, see [Fast User Switching](/windows/win32/shell/fast-user-switching). diff --git a/windows/configuration/start/includes/hide-switch-account.md b/windows/configuration/start/includes/hide-switch-user.md similarity index 53% rename from windows/configuration/start/includes/hide-switch-account.md rename to windows/configuration/start/includes/hide-switch-user.md index 5bbe1c5e7a..49188235e2 100644 --- a/windows/configuration/start/includes/hide-switch-account.md +++ b/windows/configuration/start/includes/hide-switch-user.md @@ -5,7 +5,12 @@ ms.date: 04/10/2024 ms.topic: include --- -### Hide Switch account +### Hide Switch user + +With this policy setting you can hide the **Switch user** option from the user tile in the start menu: + +- If enabled, the **Switch user** option is hidden +- If disabled or not configured, the **Switch user** option is available | | Path | |--|--| diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index 7a84522c4a..fb6ea5fa62 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -137,7 +137,7 @@ Select one of the tabs to see the list of available settings: |-|-|-| |[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| |[Hide **Sign out**](#hide-sign-out)|✅|✅| -|[Hide **Switch account**](#hide-switch-account)|✅|❌| +|[Hide **Switch user**](#hide-switch-user)|✅|❌| |[Hide user tile](#hide-user-tile)|✅|❌| ::: zone-end @@ -147,7 +147,7 @@ Select one of the tabs to see the list of available settings: |[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| |[Hide **Lock**](#hide-lock)|✅|❌| |[Hide **Sign out**](#hide-sign-out)|✅|✅| -|[Hide **Switch account**](#hide-switch-account)|✅|❌| +|[Hide **Switch user**](#hide-switch-user)|✅|❌| |[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅| |[Hide user tile](#hide-user-tile)|✅|❌| ::: zone-end @@ -159,7 +159,7 @@ Select one of the tabs to see the list of available settings: ::: zone-end [!INCLUDE [hide-signout](includes/hide-signout.md)] -[!INCLUDE [hide-switch-user](includes/hide-switch-account.md)] +[!INCLUDE [hide-switch-user](includes/hide-switch-user.md)] ::: zone pivot="windows-10" [!INCLUDE [hide-lock](includes/hide-entry-points-for-fast-user-switching.md)] ::: zone-end From 767d4a34f13c414fd7aa92f720f99a3632c87c6a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 12 Jul 2024 10:53:08 -0400 Subject: [PATCH 08/19] chore: Hide entry points for Fast User Switching --- windows/configuration/start/policy-settings.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/configuration/start/policy-settings.md b/windows/configuration/start/policy-settings.md index fb6ea5fa62..5d0b4b6bf0 100644 --- a/windows/configuration/start/policy-settings.md +++ b/windows/configuration/start/policy-settings.md @@ -138,6 +138,7 @@ Select one of the tabs to see the list of available settings: |[Hide **Change account settings**](#hide-change-account-settings)|✅|❌| |[Hide **Sign out**](#hide-sign-out)|✅|✅| |[Hide **Switch user**](#hide-switch-user)|✅|❌| +|[Hide entry points for Fast User Switching](#hide-entry-points-for-fast-user-switching)|✅|✅| |[Hide user tile](#hide-user-tile)|✅|❌| ::: zone-end @@ -160,9 +161,7 @@ Select one of the tabs to see the list of available settings: [!INCLUDE [hide-signout](includes/hide-signout.md)] [!INCLUDE [hide-switch-user](includes/hide-switch-user.md)] -::: zone pivot="windows-10" [!INCLUDE [hide-lock](includes/hide-entry-points-for-fast-user-switching.md)] -::: zone-end [!INCLUDE [hide-user-tile](includes/hide-user-tile.md)] #### [:::image type="icon" source="../images/icons/folder.svg"::: **Pinned folders**](#tab/folders) From 2301d4f39056d57360ae8ce0083081874d41a5ee Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 15 Jul 2024 17:44:46 -0400 Subject: [PATCH 09/19] Update Fast User Switching entry points description --- .../includes/hide-entry-points-for-fast-user-switching.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md index 7510bc272f..ec07566ed5 100644 --- a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -9,8 +9,8 @@ ms.topic: include With this policy setting you can prevent multiple users to sign in at the same time, using the Fast User Switching feature. -- If enabled, only one user can sign in at a time. The list of local users and currently signed in users is hidden from the sign in screen, the Start menu, and the Task Manager. If multiple users want to sign in, the current user must sign out first -- If disabled or not configured, multiple users can sign in at the same time. The list of local users and currently signed in users is available in the sign in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in +- If enabled, only one user can sign in at a time. The Fast User Switching entry points are hidden from the sign-in screen, the Start menu, and the Task Manager. If multiple users want to sign in, the current user must sign out first +- If disabled or not configured, multiple users can sign in at the same time. The Fast User Switching entry points are availabe from the sign-in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in | | Path | |--|--| From ea7233f0100a4ff848f7fbeafe825d468b9fb877 Mon Sep 17 00:00:00 2001 From: Sandeep Deo <38295759+SanDeo-MSFT@users.noreply.github.com> Date: Thu, 18 Jul 2024 09:48:00 -0700 Subject: [PATCH 10/19] Update recovery-process.md --- .../data-protection/bitlocker/recovery-process.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md index 28cbcd8d4a..b2d83e651b 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md @@ -2,7 +2,7 @@ title: BitLocker recovery process description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive. ms.topic: how-to -ms.date: 07/08/2024 +ms.date: 07/18/2024 --- # BitLocker recovery process @@ -72,7 +72,7 @@ The following list can be used as a template for creating a recovery process for There are a few Microsoft Entra ID roles that allow a delegated administrator to read BitLocker recovery passwords from the devices in the tenant. While it's common for organizations to use the existing Microsoft Entra ID *[Cloud Device Administrator][ENTRA-2]* or *[Helpdesk Administrator][ENTRA-3]* built-in roles, you can also [create a custom role][ENTRA-5], delegating access to BitLocker keys using the `microsoft.directory/bitlockerKeys/key/read` permission. Roles can be delegated to access BitLocker recovery passwords for devices in specific Administrative Units. > [!NOTE] -> When devices including [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user). +> When devices that utilize [Windows Autopilot](/mem/autopilot/windows-autopilot) are reused to join to Entra, **and there is a new device owner**, that new device owner must contact an administrator to acquire the BitLocker recovery key for that device. Custom role or administrative unit scoped administrators will lose access to BitLocker recovery keys for those devices that have undergone device ownership changes. These scoped administrators will need to contact a non-scoped administrator for the recovery keys. For more information, see the article [Find the primary user of an Intune device](/mem/intune/remote-actions/find-primary-user#change-a-devices-primary-user). The [Microsoft Entra admin center][ENTRA] allows administrators to retrieve BitLocker recovery passwords. To learn more about the process, see [View or copy BitLocker keys][ENTRA-4]. Another option to access BitLocker recovery passwords is to use the Microsoft Graph API, which might be useful for integrated or scripted solutions. For more information about this option, see [Get bitlockerRecoveryKey][GRAPH-1]. From add1d6dbb1d2de05c7638a7f8e3e270fb5b2f42d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 22 Jul 2024 08:16:40 -0700 Subject: [PATCH 11/19] Replace second-level enumerators (a, b, c) with automatic numbering Second-level list items don't get proper hanging indentation unless they rely on automatic numbering (1, 1, 1). If we instead have a, b, c, etc. in Markdown, indentation is not correct. --- .../test-scenarios-md-app-guard.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 8e457f7603..db694768cc 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -47,17 +47,17 @@ Before you can use Application Guard in managed mode, you must install Windows 1 3. Set up the Network Isolation settings in Group Policy: - a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**. + 1. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**. - b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. + 1. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting. - c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. + 1. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png) - d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. + 1. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. - e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. + 1. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png) From 846d3b88d20892ccb014806f09813c520bd81c6f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 22 Jul 2024 08:18:37 -0700 Subject: [PATCH 12/19] Correct indentation of images in list items --- .../test-scenarios-md-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index db694768cc..37a32b008c 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -26,8 +26,8 @@ You can see how an employee would use standalone mode with Application Guard. 3. Wait for Application Guard to set up the isolated environment. - >[!NOTE] - >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. + > [!NOTE] + > Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues. @@ -53,13 +53,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1 1. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box. - ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png) + ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png) 1. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting. 1. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box. - ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png) + ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png) 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting. @@ -67,8 +67,8 @@ Before you can use Application Guard in managed mode, you must install Windows 1 ![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png) - >[!NOTE] - >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. + > [!NOTE] + > Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario. 6. Start Microsoft Edge and type `https://www.microsoft.com`. From deebe1925534a39de0686438eea3d607f4f5cb69 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 22 Jul 2024 08:20:58 -0700 Subject: [PATCH 13/19] Add blank lines between elements for consistent layout --- .../test-scenarios-md-app-guard.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 37a32b008c..275a28dd9e 100644 --- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -230,10 +230,13 @@ Once a user has the extension and its companion app installed on their enterpris 1. Open either Firefox or Chrome, whichever browser you have the extension installed on. 2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded. + ![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png) 3. Navigate to a nonenterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge. + ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png) -4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window** +4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**. + ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png) From 5cb22dcc7a2ab5b14bd7ca11517d0067678e47fb Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 22 Jul 2024 12:37:55 -0400 Subject: [PATCH 14/19] Update Universal Print data handling link --- .../book/cloud-services-protect-your-work-information.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/cloud-services-protect-your-work-information.md b/windows/security/book/cloud-services-protect-your-work-information.md index 789ac396b8..97aafdbec1 100644 --- a/windows/security/book/cloud-services-protect-your-work-information.md +++ b/windows/security/book/cloud-services-protect-your-work-information.md @@ -232,7 +232,7 @@ Universal Print has integrated with Administrative Units in Microsoft Entra ID t :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** - [Universal Print](https://www.microsoft.com/microsoft-365/windows/universal-print) -- [Data storage in Universal Print](/universal-print/fundamentals/universal-print-encryption) +- [Data handling in Universal Print](/universal-print/data-handling) - [Delegate Printer Administration with Administrative Units](/universal-print/portal/delegated-admin) For customers who want to stay on Print Servers, we recommend using the Microsoft IPP Print driver. For features beyond what's covered in the standard IPP driver, use Print Support Applications (PSA) for Windows from the respective printer OEM. From 6877f31032f768a55178bf889ccfc1fafa7ee15c Mon Sep 17 00:00:00 2001 From: "Daniel H. Brown" <32883970+DHB-MSFT@users.noreply.github.com> Date: Mon, 22 Jul 2024 10:45:38 -0700 Subject: [PATCH 15/19] Fix broken link to ESC content --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 3566b7a050..ce375a294b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -425,7 +425,7 @@ To turn off Insider Preview builds for Windows 10 and Windows 11: ### 8. Internet Explorer > [!NOTE] -> When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](/troubleshoot/browsers/enhanced-security-configuration-faq). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings: +> When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](/previous-versions/troubleshoot/browsers/security-privacy/enhanced-security-configuration-faq). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings: | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| From e403e0bd0e351f63f9a83a993e03a5f22b72eb01 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:50:07 -0400 Subject: [PATCH 16/19] Update Windows security introduction --- windows/security/introduction.md | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/windows/security/introduction.md b/windows/security/introduction.md index 073a4309b9..53edc2cc2c 100644 --- a/windows/security/introduction.md +++ b/windows/security/introduction.md @@ -1,24 +1,17 @@ --- title: Introduction to Windows security description: System security book. -ms.date: 09/01/2023 -ms.topic: tutorial +ms.date: 07/22/2024 +ms.topic: overview ms.author: paoloma -ms.collection: - - essentials-security -content_well_notification: - - AI-contribution author: paolomatarazzo -appliesto: - - ✅ Windows 11 -ai-usage: ai-assisted --- # Introduction to Windows security The acceleration of digital transformation and the expansion of both remote and hybrid work brings new opportunities to organizations, communities, and individuals. This expansion introduces new threats and risks. -Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the [security baselines](operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md) with new requirements for advanced hardware and software protection that extends from chip to cloud. +Organizations worldwide are adopting a **Zero Trust** security model based on the premise that no person or device anywhere can have access until safety and integrity is proven. Windows 11 is built on Zero Trust principles to enable hybrid productivity and new experiences anywhere, without compromising security. Windows 11 raises the security baselines with new requirements for advanced hardware and software protection that extends from chip to cloud. ## How Windows 11 enables Zero Trust protection @@ -44,11 +37,11 @@ In Windows 11, hardware and software work together to protect the operating syst To help keep personal and business information protected and private, Windows 11 has multiple layers of application security that safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need. -In Windows 11, [Microsoft Defender Application Guard](/windows-hardware/design/device-experiences/oem-app-guard) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone. +In Windows 11, [Microsoft Defender Application Guard](application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md) uses Hyper-V virtualization technology to isolate untrusted websites and Microsoft Office files in containers, separate from and unable to access the host operating system and enterprise data. To protect privacy, Windows 11 also provides more controls over which apps and features can collect and use data such as the device's location, or access resources like camera and microphone. ### Secured identities -Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) for passwordless authentication. +Passwords have been an important part of digital security for a long time, and they're also a top target for cybercriminals. Windows 11 provides powerful protection against credential theft with chip-level hardware security. Credentials are protected by layers of hardware and software security such as [TPM 2.0](information-protection/tpm/trusted-platform-module-overview.md), [VBS](/windows-hardware/design/device-experiences/oem-vbs), and/or [Credential Guard](identity-protection/credential-guard/index.md), making it harder for attackers to steal credentials from a device. With [Windows Hello for Business](identity-protection/hello-for-business/index.md), users can quickly sign in with face, fingerprint, or PIN for passwordless protection. Windows 11 also supports [FIDO2 security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) and [passkeys](identity-protection/passkeys/index.md) for passwordless authentication. ### Connecting to cloud services @@ -58,4 +51,4 @@ Microsoft offers comprehensive cloud services for identity, storage, and access To learn more about the security features included in Windows 11, read the [Windows 11 Security Book](book/index.md). - + From e2e86743558a5a846d2cfc68d77a2ca735d38b92 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:53:53 -0400 Subject: [PATCH 17/19] Update Windows 11 version in education/windows/index.yml and fix date in windows/security/operating-system-security/data-protection/encrypted-hard-drive.md --- education/windows/index.yml | 6 +++--- .../data-protection/encrypted-hard-drive.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/education/windows/index.yml b/education/windows/index.yml index 0cd20e659d..1c2008d3c9 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -12,16 +12,16 @@ metadata: author: paolomatarazzo ms.author: paoloma manager: aaroncz - ms.date: 10/30/2023 + ms.date: 07/22/2024 highlightedContent: items: - title: Get started with Windows 11 SE itemType: get-started url: windows-11-se-overview.md - - title: Windows 11, version 22H2 + - title: Windows 11, version 23H2 itemType: whats-new - url: /windows/whats-new/whats-new-windows-11-version-22H2 + url: /windows/whats-new/whats-new-windows-11-version-23h2 - title: Explore all Windows trainings and learning paths for IT pros itemType: learn url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator diff --git a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md index 368b0d1c10..61a6b9a820 100644 --- a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md +++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md @@ -1,7 +1,7 @@ --- title: Encrypted hard drives description: Learn how encrypted hard drives use the rapid encryption that is provided by BitLocker to enhance data security and management. -ms.date: 10/18/2023 +ms.date: 07/22/2024 ms.topic: concept-article --- @@ -75,7 +75,7 @@ To configure encrypted hard drives as startup drives, use the same methods as st There are three policy settings to manage how BitLocker uses hardware-based encryption and which encryption algorithms to use. If these settings aren't configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: -- [Configure use of hardware-based encryption for fixed data drives](bitlocker/configure.md?tabs=fixed#configure-use-of-hardware-based-encryption-for-fixed-data-drives) +- [Configure use of hardware-based encryption for fixed data drives](bitlocker/configure.md?tabs=fixed#configure-use-of-hardware-based-encryption-for-fixed-data-drives) - [Configure use of hardware-based encryption for removable data drives](bitlocker/configure.md?tabs=removable#configure-use-of-hardware-based-encryption-for-removable-data-drives) - [Configure use of hardware-based encryption for operating system drives](bitlocker/configure.md?tabs=os#configure-use-of-hardware-based-encryption-for-operating-system-drives) From 883b3902f6ae9db6fc4c7bd0f504a780dce3dd29 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 22 Jul 2024 14:55:25 -0400 Subject: [PATCH 18/19] Update education index.yml with new date --- education/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/education/index.yml b/education/index.yml index adc8d30041..1da8d77fdb 100644 --- a/education/index.yml +++ b/education/index.yml @@ -8,7 +8,7 @@ metadata: title: Microsoft 365 Education Documentation description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. ms.topic: hub-page - ms.date: 11/06/2023 + ms.date: 07/22/2024 productDirectory: title: For IT admins From a9450b5e08bd7fe2b68ce449e1dd4d68ee22b452 Mon Sep 17 00:00:00 2001 From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Date: Tue, 23 Jul 2024 17:54:26 +0530 Subject: [PATCH 19/19] Pencil edit --- .../start/includes/hide-entry-points-for-fast-user-switching.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md index ec07566ed5..a914eb1c31 100644 --- a/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md +++ b/windows/configuration/start/includes/hide-entry-points-for-fast-user-switching.md @@ -10,7 +10,7 @@ ms.topic: include With this policy setting you can prevent multiple users to sign in at the same time, using the Fast User Switching feature. - If enabled, only one user can sign in at a time. The Fast User Switching entry points are hidden from the sign-in screen, the Start menu, and the Task Manager. If multiple users want to sign in, the current user must sign out first -- If disabled or not configured, multiple users can sign in at the same time. The Fast User Switching entry points are availabe from the sign-in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in +- If disabled or not configured, multiple users can sign in at the same time. The Fast User Switching entry points are available from the sign-in screen, the Start menu, and the Task Manager. The current user doesn't have to sign out to allow another user to sign in | | Path | |--|--|