✔️ If there are specific installation-type apps you want to enable, then work with Microsoft to get them enabled. For more information, see [Add your own apps](#add-your-own-apps) (in this article). | +The following table lists all the applications included in Windows 11 SE and the pinning to either the Start menu or to the taskbar. -### Add your own apps +| App name | App type | Pinned to Start? | Pinned to taskbar? | +|:-----------------------------|:--------:|:----------------:|:------------------:| +| Alarm & Clock | UWP | | | +| Calculator | UWP | ✅ | | +| Camera | UWP | ✅ | | +| Microsoft Edge | Win32 | ✅ | ✅ | +| Excel | Win32 | ✅ | | +| Feedback Hub | UWP | | | +| File Explorer | Win32 | | ✅ | +| FlipGrid | PWA | | | +| Get Help | UWP | | | +| Media Player | UWP | ✅ | | +| Maps | UWP | | | +| Minecraft: Education Edition | UWP | | | +| Movies & TV | UWP | | | +| News | UWP | | | +| Notepad | Win32 | | | +| OneDrive | Win32 | | | +| OneNote | Win32 | ✅ | | +| Outlook | PWA | ✅ | | +| Paint | Win32 | ✅ | | +| Photos | UWP | | | +| PowerPoint | Win32 | ✅ | | +| Settings | UWP | ✅ | | +| Snip & Sketch | UWP | | | +| Sticky Notes | UWP | | | +| Teams | Win32 | ✅ | | +| To Do | UWP | | | +| Whiteboard | UWP | ✅ | | +| Word | Win32 | ✅ | | -If the apps you need aren't shown in the [available apps list](#available-apps) (in this article), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. +## Available applications + +The following applications can also run on Windows 11 SE, and can be deployed using Intune for Education. For more information, see [Configure applications with Microsoft Intune][EDUWIN-1] + +| Application | Supported version | App Type | Vendor | +|-----------------------------------------|-------------------|----------|------------------------------| +| AirSecure | 8.0.0 | Win32 | AIR | +| Alertus Desktop | 5.4.44.0 | Win32 | Alertus technologies | +| Brave Browser | 1.34.80 | Win32 | Brave | +| Bulb Digital Portfolio | 0.0.7.0 | Store | Bulb | +| CA Secure Browser | 14.0.0 | Win32 | Cambium Development | +| Cisco Umbrella | 3.0.110.0 | Win32 | Cisco | +| CKAuthenticator | 3.6 | Win32 | Content Keeper | +| Class Policy | 114.0.0 | Win32 | Class Policy | +| Classroom.cloud | 1.40.0004 | Win32 | NetSupport | +| CoGat Secure Browser | 11.0.0.19 | Win32 | Riverside Insights | +| Dragon Professional Individual | 15.00.100 | Win32 | Nuance Communications | +| DRC INSIGHT Online Assessments | 12.0.0.0 | Store | Data recognition Corporation | +| Duo from Cisco | 2.25.0 | Win32 | Cisco | +| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking | +| eTests | 4.0.25 | Win32 | CASAS | +| FortiClient | 7.2.0.4034+ | Win32 | Fortinet | +| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | +| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd | +| GoGuardian | 1.4.4 | Win32 | GoGuardian | +| Google Chrome | 102.0.5005.115 | Win32 | Google | +| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | +| Immunet | 7.5.0.20795 | Win32 | Immunet | +| Impero Backdrop Client | 4.4.86 | Win32 | Impero Software | +| JAWS for Windows | 2022.2112.24 | Win32 | Freedom Scientific | +| Kite Student Portal | 8.0.3.0 | Win32 | Dynamic Learning Maps | +| Kortext | 2.3.433.0 | Store | Kortext | +| Kurzweil 3000 Assistive Learning | 20.13.0000 | Win32 | Kurzweil Educational Systems | +| LanSchool Classic | 9.1.0.46 | Win32 | Stoneware, Inc. | +| LanSchool Air | 2.0.13312 | Win32 | Stoneware, Inc. | +| Lightspeed Smart Agent | 1.9.1 | Win32 | Lightspeed Systems | +| MetaMoJi ClassRoom | 3.12.4.0 | Store | MetaMoJi Corporation | +| Microsoft Connect | 10.0.22000.1 | Store | Microsoft | +| Mozilla Firefox | 99.0.1 | Win32 | Mozilla | +| NAPLAN | 2.5.0 | Win32 | NAP | +| Netref Student | 22.2.0 | Win32 | NetRef | +| NetSupport Manager | 12.01.0014 | Win32 | NetSupport | +| NetSupport Notify | 5.10.1.215 | Win32 | NetSupport | +| NetSupport School | 14.00.0011 | Win32 | NetSupport | +| NextUp Talker | 1.0.49 | Win32 | NextUp Technologies | +| NonVisual Desktop Access | 2021.3.1 | Win32 | NV Access | +| NWEA Secure Testing Browser | 5.4.356.0 | Win32 | NWEA | +| Pearson TestNav | 1.10.2.0 | Store | Pearson | +| Questar Secure Browser | 4.8.3.376 | Win32 | Questar, Inc | +| ReadAndWriteForWindows | 12.0.60.0 | Win32 | Texthelp Ltd. | +| Remote Desktop client (MSRDC) | 1.2.3213.0 | Win32 | Microsoft | +| Remote Help | 3.8.0.12 | Win32 | Microsoft | +| Respondus Lockdown Browser | 2.0.9.00 | Win32 | Respondus | +| Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | +| Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | +| SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | +| Zoom | 5.9.1 (2581) | Win32 | Zoom | +| ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | +| ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | + +## Add your own applications + +If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account. Microsoft reviews every app request to make sure each app meets the following requirements: -- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more. - -- Apps must be in one of the following app categories: - - Content Filtering apps - - Test Taking solutions +- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more +- Apps must be in one of the following app categories: + - Content Filtering apps + - Test Taking solutions - Assistive technologies - - Classroom communication apps + - Classroom communication apps - Essential diagnostics, management, and supportability apps - -- Apps must meet the performance [requirements of Windows 11](/windows/whats-new/windows-11-requirements). - +- Apps must meet the performance [requirements of Windows 11][WIN-1] - Apps must meet the following security requirements: - - All app binaries are code-signed. - - All files include the `OriginalFileName` in the resource file header. - - All kernel drivers are WHQL-signed. - -- Apps don't have an equivalent web application. - -- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE. + - All app binaries are code-signed + - All files include the `OriginalFileName` in the resource file header + - All kernel drivers are WHQL-signed +- Apps don't have an equivalent web application +- Apps can't invoke any processes that can be used to jailbreak a device, automate jailbreaks, or present a security risk. For example, processes such as Reg.exe, CBE.exe, CMD.exe, and KD.exe are blocked on Windows 11 SE If the app meets the requirements, Microsoft works with the Independent Software Vendor (ISV) to test the app, and make sure the app works as expected on Windows 11 SE. -When the app is ready, Microsoft will update you. Then, you add the app to the [Intune for Education portal](https://intuneeducation.portal.azure.com), and [assign](/intune-education/assign-apps) it to your Windows 11 SE devices. +When the app is ready, Microsoft will update you. Then, you add the app to the Intune for Education portal, and assign it to your Windows 11 SE devices. -For more information on Intune requirements for adding education apps, see [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). - -### 0x87D300D9 error with an app - -When you deploy an app using Intune for Education, you may get a `0x87D300D9` error code with a `Failed` state in the [Intune for Education portal](https://intuneeducation.portal.azure.com). If you have an app that fails with this error, then: - -- Make sure the app is on the [available apps list](#available-apps) (in this article). Or, make sure your app is [approved for Windows 11 SE](#add-your-own-apps) (in this article). -- If the app is approved, then it's possible the app is packaged wrong. For more information, see [Add your own apps](#add-your-own-apps) (in this article) and [Manage devices running Windows 11 SE](/intune-education/windows-11-se-overview). -- If the app isn't approved, then it won't run on Windows 11 SE. To get apps approved, see [Add your own apps](#add-your-own-apps) (in this article). Or, use an app that runs in a web browser, such as a web app or PWA. +For more information on Intune requirements for adding education apps, see [Configure applications with Microsoft Intune][EDUWIN-1]. ## Related articles -- [Use Intune for Education to manage devices running Windows 11 SE](/intune-education/windows-11-se-overview) +- [Tutorial: deploy and manage Windows devices in a school][EDUWIN-2] + +[INT-1]: /intune-education/what-is-intune-for-education + +[EDUWIN-1]: /education/windows/tutorial-school-deployment/configure-device-apps +[EDUWIN-2]: /education/windows/tutorial-school-deployment/ + +[WIN-1]: /windows/whats-new/windows-11-requirements diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index e654aff272..92038f93e9 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -8,7 +8,7 @@ ms.pagetype: mobile ms.collection: education author: paolomatarazzo ms.author: paoloma -ms.date: 08/10/2022 +ms.date: 09/12/2022 ms.reviewer: manager: aaroncz appliesto: @@ -17,7 +17,7 @@ appliesto: # Windows 11 SE for Education settings list -Windows 11 SE automatically configures settings and features in the operating system. These settings use the Configuration Service Provider (CSPs) provided by Microsoft. You can use an MDM provider to configure these settings. +Windows 11 SE automatically configures certain settings and features in the operating system. You can use Microsoft Intune to customize these settings. This article lists the settings automatically configured. For more information on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). @@ -25,26 +25,26 @@ This article lists the settings automatically configured. For more information o The following table lists and describes the settings that can be changed by administrators. -| Setting | Description | -| --- | --- | -| Block manual unenrollment | Default: Blocked
Users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | -| Allow option to Show Network | Default: Allowed
Gives users the option to see the **Show Network** folder in File Explorer. | -| Allow option to Show This PC | Default: Allowed
Gives user the option to see the **Show This PC** folder in File Explorer. | -| Set Allowed Folder location | Default folders: Documents, Desktop, Pictures, and Downloads
Gives user access to these folders. | -| Set Allowed Storage Locations | Default: Blocks local drives and network drives
Blocks user access to these storage locations. | -| Allow News and Interests | Default: Hide
Hides widgets. | -| Disable advertising ID | Default: Disabled
Blocks apps from using usage data to tailor advertisements.
[Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | -| Visible settings pages | Default:
| -| Enable App Install Control | Default: Turned On
Users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| -| Configure Storage Sense Cloud Content Dehydration Threshold | Default: 30 days
If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | -| Allow Telemetry | Default: Required Telemetry Only
Sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.
[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | -| Allow Experimentation | Default: Disabled
Microsoft can't experiment with the product to study user preferences or device behavior.
[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | -| Block external extensions | Default: Blocked
In Microsoft Edge, users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | -| Configure new tab page | Default: `Office.com`
In Microsoft Edge, the new tab page defaults to `Office.com`.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | -| Configure homepage | Default: `Office.com`
In Microsoft Edge, the homepage defaults to `Office.com`.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | -| Prevent SmartScreen prompt override | Default: Enabled
In Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | -| Wallpaper Image Customization | Default:
Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | -| Lock Screen Image Customization | Default:
Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | +| Setting | Description | Default Value | +| --- | --- | --- | +| Block manual unenrollment | When blocked, users can't unenroll their devices from device management services.
[Experience/AllowManualMDMUnenrollment CSP](/windows/client-management/mdm/policy-csp-experience#experience-allowmanualmdmunenrollment) | Blocked | +| Allow option to Show Network | When allowed, it gives users the option to see the **Show Network** folder in File Explorer. | Allowed | +| Allow option to Show This PC | When allowed, it gives users the option to see the **Show This PC** folder in File Explorer. | Allowed | +| Set Allowed Folder location | Gives user access to these folders. | Default folders: Documents, Desktop, Pictures, and Downloads | +| Set Allowed Storage Locations | Blocks user access to these storage locations. | Blocks local drives and network drives | +| Allow News and Interests | Hides widgets. | Hide | +| Disable advertising ID | Blocks apps from using usage data to tailor advertisements.
[Privacy/DisableAdvertisingId CSP](/windows/client-management/mdm/policy-csp-privacy#privacy-disableadvertisingid) | Disabled | +| Visible settings pages | Default:
|| +| Enable App Install Control | When enabled, users can't download apps from the internet.
[SmartScreen/EnableAppInstallControl CSP](/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol)| Enabled | +| Configure Storage Sense Cloud Content Dehydration Threshold | If a file hasn't been opened in 30 days, it becomes an online-only file. Online-only files can be opened when there's an internet connection. When an online-only file is opened on a device, it downloads and becomes locally available on that device. The file is available until it's unopened for the specified number of days, and becomes online-only again.
[Storage/ConfigStorageSenseCloudContentDehydrationThreshold CSP](/windows/client-management/mdm/policy-csp-storage#storage-configstoragesensecloudcontentdehydrationthreshold) | 30 days | +| Allow Telemetry | With *Required Telemetry Only*, it sends only basic device info, including quality-related data, app compatibility, and similar data to keep the device secure and up-to-date.
[System/AllowTelemetry CSP](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | Required Telemetry Only | +| Allow Experimentation | When disabled, Microsoft can't experiment with the product to study user preferences or device behavior.
[System/AllowExperimentation CSP](/windows/client-management/mdm/policy-csp-system#system-allowexperimentation) | Disabled | +| Block external extensions | When blocked, in Microsoft Edge users can't install external extensions.
[BlockExternalExtensions](/DeployEdge/microsoft-edge-policies#blockexternalextensions) | Blocked | +| Configure new tab page | Set the new tab page defaults to a specific url.
[Configure the new tab page URL](/DeployEdge/microsoft-edge-policies#configure-the-new-tab-page-url) | `Office.com` | +| Configure homepage | Set the Microsoft Edge's homepage default.
[HomepageIsNewTabPage](/DeployEdge/microsoft-edge-policies#homepageisnewtabpage) | `Office.com` | +| Prevent SmartScreen prompt override | When enabled, in Microsoft Edge, users can't override Windows Defender SmartScreen warnings.
[PreventSmartScreenPromptOverride](/DeployEdge/microsoft-edge-policies#preventsmartscreenpromptoverride) | Enabled | +| Wallpaper Image Customization | Specify a jpg, jpeg, or png image to be used as the desktop image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[DesktopImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured | +| Lock Screen Image Customization | Specify a jpg, jpeg, or png image to be used as lock screen image. This setting can take an http or https URL to a remote image to be downloaded, a file URL to a local image.
[LockScreenImageUrl](/windows/client-management/mdm/personalization-csp) | Not configured | ## Settings that can't be changed @@ -61,45 +61,6 @@ The following settings can't be changed. | Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. | | Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). | -## What's available in the Settings app - -On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown. - -- Accessibility - -- Accounts - - Email & accounts - -- Apps - -- Bluetooth & devices - - Bluetooth - - Printers & scanners - - Mouse - - Touchpad - - Typing - - Pen - - AutoPlay - -- Network & internet - - WiFi - - VPN - -- Personalization - - Taskbar - -- Privacy & security - -- System - - Display - - Notifications - - Tablet mode - - Multitasking - - Projecting to this PC - -- Time & Language - - Language & region - ## Next steps [Windows 11 SE for Education overview](windows-11-se-overview.md) diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index b53f4a28bc..da8c28524d 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -21,7 +21,7 @@ appliesto: Windows 10, version 1607 (Anniversary Update) continues our commitment to productivity, security, and privacy for all customers. Windows 10 Pro and Windows 10 Enterprise offer the functionality and safety features demanded by business and education customers around the globe. Windows 10 is the most secure Windows we’ve ever built. All of our Windows commercial editions can be configured to support the needs of schools, through group policies, domain join, and more. To learn more about Microsoft’s commitment to security and privacy in Windows 10, see more on both [security](/windows/security/security-foundations) and [privacy](https://go.microsoft.com/fwlink/?LinkId=822620). -Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows-10.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). +Beginning with version 1607, Windows 10 offers various new features and functionality, such as simplified provisioning with the [Set up School PCs app](./use-set-up-school-pcs-app.md) or [Windows Configuration Designer](./set-up-students-pcs-to-join-domain.md), easier delivery of digital assessments with [Take a Test](./take-tests-in-windows.md), and faster sign-in performance for shared devices than ever before. These features work with all Windows for desktop editions, excluding Windows 10 Home. You can find more information on [windows.com](https://www.windows.com/). Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: [Windows 10 Pro Education](#windows-10-pro-education) and [Windows 10 Education](#windows-10-education). These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments. @@ -63,7 +63,7 @@ For any other questions, contact [Microsoft Customer Service and Support](https: ## Related topics - [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md) -- [Windows deployment for education](./index.md) +- [Windows deployment for education](./index.yml) - [Windows 10 upgrade paths](/windows/deployment/upgrade/windows-10-upgrade-paths) - [Volume Activation for Windows 10](/windows/deployment/volume-activation/volume-activation-windows-10) - [Plan for volume activation](/windows/deployment/volume-activation/plan-for-volume-activation-client) diff --git a/gdpr/docfx.json b/gdpr/docfx.json deleted file mode 100644 index d786f46f58..0000000000 --- a/gdpr/docfx.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "author": "eross-msft", - "ms.author": "lizross", - "feedback_system": "GitHub", - "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "gdpr", - "markdownEngineName": "dfm" - } -} \ No newline at end of file diff --git a/mdop/docfx.json b/mdop/docfx.json deleted file mode 100644 index 6ff865c683..0000000000 --- a/mdop/docfx.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/**.md", - "**/**.yml" - ], - "exclude": [ - "**/obj/**" - ] - } - ], - "resource": [ - { - "files": [ - "**/images/**" - ], - "exclude": [ - "**/obj/**" - ] - } - ], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json", - "ROBOTS": "INDEX, FOLLOW", - "ms.technology": "windows", - "audience": "ITPro", - "manager": "dansimp", - "ms.prod": "w10", - "ms.author": "dansimp", - "author": "dansimp", - "ms.sitesec": "library", - "ms.topic": "article", - "ms.date": "04/05/2017", - "feedback_system": "GitHub", - "feedback_github_repo": "https://github.com/MicrosoftDocs/mdop-docs", - "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "Win.mdop", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "Kellylorenebaker", - "jborsecnik", - "tiburd", - "garycentric" - ], - "titleSuffix": "Microsoft Desktop Optimization Pack" - }, - "externalReference": [], - "template": "op.html", - "dest": "mdop", - "markdownEngineName": "markdig" - } -} diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index 31965af7f3..86cbbe0beb 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -41,7 +41,7 @@ We've been working on bug fixes and performance improvements to provide you a be |  |**Performance improvements in private store**
We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.
[Get more info](./manage-private-store-settings.md#private-store-performance)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | | | **Manage Windows device deployment with Windows Autopilot Deployment**
In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.
[Get more info](add-profile-to-devices.md)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | |  |**Request an app**
People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.
[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | -||  |**Private store collections**
You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.
[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +||  |**Private store collections**
You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.
[Get more info](https://review.learn.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | --> ## Previous releases and updates @@ -97,4 +97,4 @@ We've been working on bug fixes and performance improvements to provide you a be - Manage prepaid Office 365 subscriptions - Manage Office 365 subscriptions acquired by partners - Edge extensions in Microsoft Store -- Search results in Microsoft Store for Business \ No newline at end of file +- Search results in Microsoft Store for Business diff --git a/template.md b/template.md index 84c08cc7de..c5f9f794d8 100644 --- a/template.md +++ b/template.md @@ -28,7 +28,7 @@ When you create a new markdown file article, **Save as** this template to a new ## Metadata -The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes: +The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.learn.microsoft.com/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes: - You _must_ have a space between the colon (`:`) and the value for a metadata element. @@ -65,7 +65,7 @@ The full metadata block is above the markdown between the `---` lines. For more All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles: -- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) +- [Docs Markdown reference in the Contributor Guide](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main) - [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax) - [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax) @@ -79,7 +79,7 @@ Second-level headings (`##`, also known as H2) generate the on-page TOC that app Limit the length of second-level headings to avoid excessive line wraps. -Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files. +Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.learn.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files. Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`). @@ -111,7 +111,7 @@ _Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps di > > It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.) -For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide. +For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide. ### Article in the same repo @@ -149,7 +149,7 @@ There's a broken link report that runs once a week in the build system, get the Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target. -For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide. +For more information, see [Add links to articles](https://review.learn.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide. ## Lists @@ -289,4 +289,4 @@ Always include alt text for accessibility, and always end it with a period. ## docs.ms extensions > [!div class="nextstepaction"] -> [Next step action](/mem/configmgr) +> [Microsoft Endpoint Configuration Manager documentation](https://learn.microsoft.com/mem/configmgr) diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json deleted file mode 100644 index 35b82f4d89..0000000000 --- a/windows/access-protection/docfx.json +++ /dev/null @@ -1,61 +0,0 @@ -{ - "build": { - "content": [ - { - "files": [ - "**/*.md", - "**/*.yml" - ], - "exclude": [ - "**/obj/**", - "**/includes/**", - "README.md", - "LICENSE", - "LICENSE-CODE", - "ThirdPartyNotices" - ] - } - ], - "resource": [ - { - "files": [ - "**/*.png", - "**/*.jpg", - "**/*.gif" - ], - "exclude": [ - "**/obj/**", - "**/includes/**" - ] - } - ], - "overwrite": [], - "externalReference": [], - "globalMetadata": { - "recommendations": true, - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", - "ms.technology": "windows", - "audience": "ITPro", - "ms.topic": "article", - "_op_documentIdPathDepotMapping": { - "./": { - "depot_name": "MSDN.win-access-protection", - "folder_relative_path_in_docset": "./" - } - }, - "contributors_to_exclude": [ - "rjagiewich", - "traya1", - "rmca14", - "claydetels19", - "jborsecnik", - "tiburd", - "garycentric" - ] - }, - "fileMetadata": {}, - "template": [], - "dest": "win-access-protection", - "markdownEngineName": "markdig" - } -} diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 1f3a0d4e61..0c2d4413bb 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -37,10 +37,10 @@ "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", - "audience": "ITPro", "ms.topic": "article", - "ms.author": "elizapo", - "feedback_system": "None", + "feedback_system": "GitHub", + "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", + "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.win-app-management", @@ -59,7 +59,11 @@ ], "searchScope": ["Windows 10"] }, - "fileMetadata": {}, + "fileMetadata": { + "feedback_system": { + "app-v/**/*.*": "None" + } + }, "template": [], "dest": "win-app-management", "markdownEngineName": "markdig" diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index b61fb4f87e..1c99168f4a 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -44,9 +44,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | | | | | | + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809| + | --- | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️ | | | | | | --- @@ -54,9 +54,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -64,9 +64,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | Use Settings App | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | Use Settings App | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -74,9 +74,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -84,9 +84,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -94,19 +94,31 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- + +- [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEVCVideoExtension +> [!NOTE] +> For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) from the Microsoft Store. + - Supported versions: + + --- + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️||||||| + + --- - [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️| --- @@ -114,9 +126,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -124,9 +136,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -134,9 +146,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -144,9 +156,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -154,9 +166,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -164,9 +176,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -174,9 +186,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -184,9 +196,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️| --- @@ -194,9 +206,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | | ✔️ | ✔️| | ✔️| | | + | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + | --- | --- | --- | --- | --- | --- | --- |--- | + |️ | ✔️ | ✔️ | ✔️|️ | ✔️|️️| --- @@ -204,9 +216,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -214,9 +226,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️| --- @@ -224,9 +236,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -234,9 +246,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -244,9 +256,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -254,9 +266,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -264,9 +276,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -274,9 +286,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -284,9 +296,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -294,9 +306,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -304,9 +316,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -314,9 +326,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -324,9 +336,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -334,9 +346,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -344,9 +356,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -354,9 +366,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -364,9 +376,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -374,9 +386,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -386,9 +398,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -396,9 +408,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -406,9 +418,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -416,9 +428,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -426,9 +438,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -436,9 +448,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -446,9 +458,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -456,9 +468,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- @@ -466,8 +478,8 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | - | --- | --- | --- | --- | --- | --- |--- | - | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️| + | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 | + |---| --- | --- | --- | --- | --- | --- |--- | + | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️| --- diff --git a/windows/client-management/generate-kernel-or-complete-crash-dump.md b/windows/client-management/generate-kernel-or-complete-crash-dump.md index e631ae9d84..442eedecc8 100644 --- a/windows/client-management/generate-kernel-or-complete-crash-dump.md +++ b/windows/client-management/generate-kernel-or-complete-crash-dump.md @@ -7,12 +7,12 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.date: 8/28/2019 -ms.reviewer: +ms.reviewer: manager: willchen ms.collection: highpri --- -# Generate a kernel or complete crash dump +# Generate a kernel or complete crash dump A system crash (also known as a “bug check” or a "Stop error") occurs when Windows can't run correctly. The dump file that is produced from this event is called a system crash dump. @@ -39,7 +39,7 @@ To enable memory dump setting, follow these steps: 5. Restart the computer. >[!Note] ->You can change the dump file path by edit the **Dump file** field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp. +>You can change the dump file path by edit the **Dump file** field. In other words, you can change the path from %SystemRoot%\Memory.dmp to point to a local drive that has enough disk space, such as E:\Memory.dmp. ### Tips to generate memory dumps @@ -72,13 +72,13 @@ If you can sign in while the problem is occurring, you can use the Microsoft Sys On some computers, you can't use keyboard to generate a crash dump file. For example, Hewlett-Packard (HP) BladeSystem servers from the Hewlett-Packard Development Company are managed through a browser-based graphical user interface (GUI). A keyboard isn't attached to the HP BladeSystem server. -In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. +In these cases, you must generate a complete crash dump file or a kernel crash dump file by using the Non-Maskable Interrupt (NMI) switch that causes an NMI on the system processor. To implement this process, follow these steps: -> [!IMPORTANT] +> [!IMPORTANT] > Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur. - + > [!NOTE] > This registry key isn't required for clients running Windows 8 and later, or servers running Windows Server 2012 and later. Setting this registry key on later versions of Windows has no effect. @@ -98,14 +98,14 @@ To implement this process, follow these steps: 7. Hardware vendors, such as HP, IBM, and Dell, may provide an Automatic System Recovery (ASR) feature. You should disable this feature during troubleshooting. For example, if the HP and Compaq ASR feature is enabled in the BIOS, disable this feature while you troubleshoot to generate a complete Memory.dmp file. For the exact steps, contact your hardware vendor. -8. Enable the NMI switch in the BIOS or by using the Integrated Lights Out (iLO) Web interface. +8. Enable the NMI switch in the BIOS or by using the Integrated Lights Out (iLO) Web interface. >[!Note] >For the exact steps, see the BIOS reference manual or contact your hardware vendor. 9. Test this method on the server by using the NMI switch to generate a dump file. You'll see a STOP 0x00000080 hardware malfunction. -If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/azure/virtual-machines/linux/serial-console-nmi-sysrq). +If you want to run NMI in Microsoft Azure using Serial Console, see [Use Serial Console for SysRq and NMI calls](/troubleshoot/azure/virtual-machines/serial-console-nmi-sysrq). ### Use the keyboard diff --git a/windows/client-management/images/quick-assist-get.png b/windows/client-management/images/quick-assist-get.png new file mode 100644 index 0000000000..fc7ccdd1a4 Binary files /dev/null and b/windows/client-management/images/quick-assist-get.png differ diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 022820d4e9..d3f9eb80c2 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -45,5 +45,5 @@ You can use the same management tools to manage all device types running Windows [Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) -Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/learn/) - \ No newline at end of file +Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/) + diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 7c8c46580d..a78fb7d156 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -18,8 +18,8 @@ ms.topic: article - Windows 11 - Windows Server 2022 - ## Summary + By using Windows operating systems, administrators can determine what devices can be installed on computers they manage. This guide summarizes the device installation process and demonstrates several techniques for controlling device installation by using Group Policy. ## Introduction @@ -60,7 +60,6 @@ It's more difficult for users to make unauthorized copies of company data if use You can ensure that users install only those devices that your technical support team is trained and equipped to support. This benefit reduces support costs and user confusion. - ## Scenario Overview The scenarios presented in this guide illustrate how you can control device installation and usage on the computers that you manage. The scenarios use Group Policy on a local machine to simplify using the procedures in a lab environment. In an environment where you manage multiple client computers, you should apply these settings using Group Policy.. With Group Policy deployed by Active Directory, you can apply settings to all computers that are members of a domain or an organizational unit in a domain. For more information about how to use Group Policy to manage your client computers, see Group Policy at the Microsoft Web site. @@ -90,7 +89,6 @@ This scenario, although similar to scenario #2, brings another layer of complexi In this scenario, combining all previous four scenarios, you'll learn how to protect a machine from all unauthorized USB devices. The administrator wants to allow users to install only a small set of authorized USB devices while preventing any other USB device from being installed. In addition, this scenario includes an explanation of how to apply the ‘prevent’ functionality to existing USB devices that have already been installed on the machine, and the administrator likes to prevent any farther interaction with them (blocking them all together). This scenario builds on the policies and structure we introduced in the first four scenarios and therefore it's preferred to go over them first before attempting this scenario. - ## Technology Review The following sections provide a brief overview of the core technologies discussed in this guide and give background information that is necessary to understand the scenarios. @@ -126,14 +124,14 @@ Hardware IDs are the identifiers that provide the exact match between a device a Windows uses these identifiers to select a driver if the operating system can't find a match with the device ID or any of the other hardware IDs. Compatible IDs are listed in the order of decreasing suitability. These strings are optional, and, when provided, they're generic, such as Disk. When a match is made using a compatible ID, you can typically use only the most basic functions of the device. -When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see How Setup Selects Drivers in the Microsoft Docs library. +When you install a device, such as a printer, a USB storage device, or a keyboard, Windows searches for driver packages that match the device you are attempting to install. During this search, Windows assigns a "rank" to each driver package it discovers with at least one match to a hardware or compatible ID. The rank indicates how well the driver matches the device. Lower rank numbers indicate better matches between the driver and the device. A rank of zero represents the best possible match. A match with the device ID to one in the driver package results in a lower (better) rank than a match to one of the other hardware IDs. Similarly, a match to a hardware ID results in a better rank than a match to any of the compatible IDs. After Windows ranks all of the driver packages, it installs the one with the lowest overall rank. For more information about the process of ranking and selecting driver packages, see [How Windows selects a driver package for a device](/windows-hardware/drivers/install/how-windows-selects-a-driver-for-a-device). > [!NOTE] > For more information about the driver installation process, see the "Technology review" section of the Step-by-Step Guide to Driver Signing and Staging. Some physical devices create one or more logical devices when they're installed. Each logical device might handle part of the functionality of the physical device. For example, a multi-function device, such as an all-in-one scanner/fax/printer, might have a different device identification string for each function. -When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see Device Identification Strings in Microsoft Docs. +When you use Device Installation policies to allow or prevent the installation of a device that uses logical devices, you must allow or prevent all of the device identification strings for that device. For example, if a user attempts to install a multifunction device and you didn't allow or prevent all of the identification strings for both physical and logical devices, you could get unexpected results from the installation attempt. For more detailed information about hardware IDs, see [Device identification strings](/windows-hardware/drivers/install/device-identification-strings). #### Device setup classes @@ -143,7 +141,7 @@ When you use device Classes to allow or prevent users from installing drivers, y For example, a multi-function device, such as an all-in-one scanner/fax/printer, has a GUID for a generic multi-function device, a GUID for the printer function, a GUID for the scanner function, and so on. The GUIDs for the individual functions are "child nodes" under the multi-function device GUID. To install a child node, Windows must also be able to install the parent node. You must allow installation of the device setup class of the parent GUID for the multi-function device in addition to any child GUIDs for the printer and scanner functions. -For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes) in Microsoft Docs. +For more information, see [Device Setup Classes](/windows-hardware/drivers/install/overview-of-device-setup-classes). This guide doesn't depict any scenarios that use device setup classes. However, the basic principles demonstrated with device identification strings in this guide also apply to device setup classes. After you discover the device setup class for a specific device, you can then use it in a policy to either allow or prevent installation of drivers for that class of devices. @@ -154,14 +152,13 @@ The following two links provide the complete list of Device Setup Classes. ‘Sy #### ‘Removable Device’ Device type -Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. - +Some devices could be classified as _Removable Device_. A device is considered _removable_ when the driver for the device to which it's connected indicates that the device is removable. For example, a USB device is reported to be removable by the drivers for the USB hub to which the device is connected. ### Group Policy Settings for Device Installation Group Policy is an infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences. -Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see Group Policy Object Editor Technical Reference. +Device Installation section in Group Policy is a set of policies that control which device could or couldn't be installed on a machine. Whether you want to apply the settings to a stand-alone computer or to many computers in an Active Directory domain, you use the Group Policy Object Editor to configure and apply the policy settings. For more information, see [Group Policy Object Editor](/previous-versions/windows/desktop/Policy/group-policy-object-editor). The following passages are brief descriptions of the Device Installation policies that are used in this guide. @@ -210,12 +207,9 @@ This policy setting will change the evaluation order in which Allow and Prevent > If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to install a device. Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below. - + 
_Device Installation policies flow chart_ - - - ## Requirements for completing the scenarios ### General @@ -259,7 +253,7 @@ To find device identification strings using Device Manager 3. Device Manager starts and displays a tree representing all of the devices detected on your computer. At the top of the tree is a node with your computers name next to it. Lower nodes represent the various categories of hardware into which your computers devices are grouped. 4. Find the “Printers” section and find the target printer - + 
_Selecting the printer in Device Manager_ 5. Double-click the printer and move to the ‘Details’ tab. @@ -273,7 +267,7 @@ To find device identification strings using Device Manager 
_HWID and Compatible ID_ > [!TIP] - > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs. + > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil). ### Getting device identifiers using PnPUtil @@ -316,7 +310,7 @@ Setting up the environment for the scenario with the following steps: 1. Open Group Policy Editor and navigate to the Device Installation Restriction section. -2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. +2. Disable all previous Device Installation policies, except ‘Apply layered order of evaluation’—although the policy is disabled in default, this policy is recommended to be enabled in most practical applications. 3. If there are any enabled policies, changing their status to ‘disabled’, would clear them from all parameters @@ -333,7 +327,7 @@ Getting the right device identifier to prevent it from being installed: - [System-Defined Device Setup Classes Available to Vendors - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors) - [System-Defined Device Setup Classes Reserved for System Use - Windows drivers](/windows-hardware/drivers/install/system-defined-device-setup-classes-reserved-for-system-use) -3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: +3. Our current scenario is focused on preventing all printers from being installed, as such here's the Class GUID for most of printers in the market: > Printers\ > Class = Printer\ @@ -347,7 +341,7 @@ Creating the policy to prevent all printers from being installed: 1. Open Group Policy Object Editor—either click the Start button, type mmc gpedit.msc in the Start Search box, and then press ENTER; or type in the Windows search “Group Policy Editor” and open the UI. -2. Navigate to the Device Installation Restriction page: +2. Navigate to the Device Installation Restriction page: > Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions @@ -625,12 +619,12 @@ These devices are internal devices on the machine that define the USB port conne > [!IMPORTANT] > Some device in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it's important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. See below for the list: -> -> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ +> +> PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&HOST (for Host Controllers)/ > USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ > USB\USB20_HUB (for Generic USB Hubs)/ -> -> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. +> +> Specifically for desktop machines, it's very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices. > > Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it's done. diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md index 948207dc6d..d4a2294c65 100644 --- a/windows/client-management/mdm/Language-pack-management-csp.md +++ b/windows/client-management/mdm/Language-pack-management-csp.md @@ -18,13 +18,13 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|Yes| -|Windows SE|No|Yes| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| |Business|No|No| -|Enterprise|No|Yes| -|Education|No|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| -The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users. +The Language Pack Management CSP allows a way to easily add languages and related language features and manage settings like System Preferred UI Language, System Locale, Input method (Keyboard), Locale, Speech Recognizer, User Preferred Language List. This CSP can be accessed using the new [LanguagePackManagement](/powershell/module/languagepackmanagement) PowerShell module. 1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples: @@ -95,4 +95,4 @@ The Language Pack Management CSP allows a direct way to provision languages remo ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index d447311a4e..2623c3d235 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -52,8 +52,11 @@ Available naming macros: |Macro|Description|Example|Generated Name| |:---|:---|:---|:---| -|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456| -|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456| +|`%RAND:#%`|Generates the specified number (`#`) of random digits.|`Test%RAND:6%`|`Test123456`| +|`%SERIAL%`|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|`Test-Device-%SERIAL%`|`Test-Device-456`| + +> [!NOTE] +> If you use these naming macros, a unique name isn't guaranteed. The generated name may still be duplicated. To reduce the likelihood of a duplicated device name, use `%RAND:#%` with a large number. With the understanding that the maximum device name is 15 characters. Supported operation is Add. diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 97ff6341d2..1334adc13d 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -754,7 +754,7 @@ ADMX Info: This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of required startup key information. This setting is applied when you turn on BitLocker. -The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs. +The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. @@ -843,7 +843,7 @@ ADMX Info: This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker. -The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see the BitLocker Drive Encryption Deployment Guide on Microsoft Docs. +The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. For more information about adding data recovery agents, see [BitLocker recovery guide](/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan). In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 62eca97eea..b67e4c78ef 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -531,6 +531,18 @@ Additional lists: + +[Local Administrator Password Solution CSP](laps-csp.md) + + + +|Home|Pro|Business|Enterprise|Education| +|--- |--- |--- |--- |--- | +|Yes|Yes|Yes|Yes|Yes| + + + + [MultiSIM CSP](multisim-csp.md) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index c900b41939..72be68417e 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -1,7 +1,7 @@ --- title: DeviceStatus CSP description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -71,12 +71,14 @@ DeviceStatus --------VirtualizationBasedSecurityHwReq --------VirtualizationBasedSecurityStatus --------LsaCfgCredGuardStatus +----CertAttestation +--------MDMClientCertAttestation ``` -**DeviceStatus** +**DeviceStatus** The root node for the DeviceStatus configuration service provider. -**DeviceStatus/SecureBootState** +**DeviceStatus/SecureBootState** Indicates whether secure boot is enabled. The value is one of the following values: - 0 - Not supported @@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu Supported operation is Get. -**DeviceStatus/CellularIdentities** +**DeviceStatus/CellularIdentities** Required. Node for queries on the SIM cards. >[!NOTE] >Multiple SIMs are supported. -**DeviceStatus/CellularIdentities/***IMEI* +**DeviceStatus/CellularIdentities/***IMEI* The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. -**DeviceStatus/CellularIdentities/*IMEI*/IMSI** +**DeviceStatus/CellularIdentities/*IMEI*/IMSI** The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/ICCID** +**DeviceStatus/CellularIdentities/*IMEI*/ICCID** The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** +**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** Phone number associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** +**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** The mobile service provider or mobile operator associated with the specific IMEI number. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** +**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** Indicates whether the SIM card associated with the specific IMEI number is roaming. Supported operation is Get. -**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** +**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** Boolean value that indicates compliance with the enforced enterprise roaming policy. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers** +**DeviceStatus/NetworkIdentifiers** Node for queries on network and device properties. -**DeviceStatus/NetworkIdentifiers/***MacAddress* +**DeviceStatus/NetworkIdentifiers/***MacAddress* MAC address of the wireless network card. A MAC address is present for each network card on the device. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** IPv4 address of the network card associated with the MAC address. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** IPv6 address of the network card associated with the MAC address. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** Boolean value that indicates whether the network card associated with the MAC address has an active network connection. Supported operation is Get. -**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** +**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** Type of network connection. The value is one of the following values: - 2 - WLAN (or other Wireless interface) @@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values: Supported operation is Get. -**DeviceStatus/Compliance** +**DeviceStatus/Compliance** Node for the compliance query. -**DeviceStatus/Compliance/EncryptionCompliance** +**DeviceStatus/Compliance/EncryptionCompliance** Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values: - 0 - Not encrypted @@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo Supported operation is Get. -**DeviceStatus/TPM** +**DeviceStatus/TPM** Added in Windows, version 1607. Node for the TPM query. Supported operation is Get. -**DeviceStatus/TPM/SpecificationVersion** +**DeviceStatus/TPM/SpecificationVersion** Added in Windows, version 1607. String that specifies the specification version. Supported operation is Get. -**DeviceStatus/OS** +**DeviceStatus/OS** Added in Windows, version 1607. Node for the OS query. Supported operation is Get. -**DeviceStatus/OS/Edition** +**DeviceStatus/OS/Edition** Added in Windows, version 1607. String that specifies the OS edition. Supported operation is Get. -**DeviceStatus/OS/Mode** +**DeviceStatus/OS/Mode** Added in Windows, version 1803. Read only node that specifies the device mode. -Valid values: +Valid values: - 0 - The device is in standard configuration. - 1 - The device is in S mode configuration. Supported operation is Get. -**DeviceStatus/Antivirus** +**DeviceStatus/Antivirus** Added in Windows, version 1607. Node for the antivirus query. Supported operation is Get. -**DeviceStatus/Antivirus/SignatureStatus** +**DeviceStatus/Antivirus/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the antivirus signature. Valid values: @@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns: This node also returns 0 when no antivirus provider is active. -**DeviceStatus/Antivirus/Status** +**DeviceStatus/Antivirus/Status** Added in Windows, version 1607. Integer that specifies the status of the antivirus. Valid values: @@ -231,12 +233,12 @@ Valid values: Supported operation is Get. -**DeviceStatus/Antispyware** +**DeviceStatus/Antispyware** Added in Windows, version 1607. Node for the anti-spyware query. Supported operation is Get. -**DeviceStatus/Antispyware/SignatureStatus** +**DeviceStatus/Antispyware/SignatureStatus** Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature. Valid values: @@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns: This node also returns 0 when no anti-spyware provider is active. -**DeviceStatus/Antispyware/Status** +**DeviceStatus/Antispyware/Status** Added in Windows, version 1607. Integer that specifies the status of the anti-spyware. Valid values: @@ -266,12 +268,12 @@ Valid values: Supported operation is Get. -**DeviceStatus/Firewall** +**DeviceStatus/Firewall** Added in Windows, version 1607. Node for the firewall query. Supported operation is Get. -**DeviceStatus/Firewall/Status** +**DeviceStatus/Firewall/Status** Added in Windows, version 1607. Integer that specifies the status of the firewall. Valid values: @@ -284,75 +286,75 @@ Valid values: Supported operation is Get. -**DeviceStatus/UAC** +**DeviceStatus/UAC** Added in Windows, version 1607. Node for the UAC query. Supported operation is Get. -**DeviceStatus/UAC/Status** +**DeviceStatus/UAC/Status** Added in Windows, version 1607. Integer that specifies the status of the UAC. Supported operation is Get. -**DeviceStatus/Battery** +**DeviceStatus/Battery** Added in Windows, version 1607. Node for the battery query. Supported operation is Get. -**DeviceStatus/Battery/Status** +**DeviceStatus/Battery/Status** Added in Windows, version 1607. Integer that specifies the status of the battery Supported operation is Get. -**DeviceStatus/Battery/EstimatedChargeRemaining** +**DeviceStatus/Battery/EstimatedChargeRemaining** Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. -**DeviceStatus/Battery/EstimatedRuntime** +**DeviceStatus/Battery/EstimatedRuntime** Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status). The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1. Supported operation is Get. -**DeviceStatus/DomainName** +**DeviceStatus/DomainName** Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string. Supported operation is Get. -**DeviceStatus/DeviceGuard** +**DeviceStatus/DeviceGuard** Added in Windows, version 1709. Node for Device Guard query. Supported operation is Get. -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** +**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask. - 0x0: System meets hardware configuration requirements -- 0x1: SecureBoot required +- 0x1: SecureBoot required - 0x2: DMA Protection required - 0x4: HyperV not supported for Guest VM - 0x8: HyperV feature isn't available Supported operation is Get. -**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** +**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: - 0 - Running -- 1 - Reboot required -- 2 - 64-bit architecture required -- 3 - Not licensed -- 4 - Not configured -- 5 - System doesn't meet hardware requirements +- 1 - Reboot required +- 2 - 64-bit architecture required +- 3 - Not licensed +- 4 - Not configured +- 5 - System doesn't meet hardware requirements - 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details. Supported operation is Get. -**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** +**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** Added in Windows, version 1709. Local System Authority (LSA) credential guard status. - 0 - Running @@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s Supported operation is Get. +**DeviceStatus/CertAttestation/MDMClientCertAttestation** +Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields. + +Supported operation is Get. + ## Related topics [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 9019f6a5b9..f081bf1262 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -1,7 +1,7 @@ --- title: DeviceStatus DDF description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -25,862 +25,904 @@ The XML below is for Windows 10, version 1803. "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd" []>
- NewsAndInterests/AllowNewsAndInterests
- Experiences/ConfigureChatIcon
- Start/ConfigureStartPins
- Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity
- Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable | -| [DMClient CSP](dmclient-csp.md) | Updated the description of the following node:
- Provider/ProviderID/ConfigLock/Lock
- Provider/ProviderID/ConfigLock/UnlockDuration
- Provider/ProviderID/ConfigLock/SecuredCore | +| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Updated the following policy in Windows 10, version 2004:
Deprecated the following policies in Windows 10, version 2004:
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
Added the new 1.4 version of the DDF.
Added the following new nodes:
- [Experience/DisableCloudOptimizedContent](policy-csp-experience.md#experience-disablecloudoptimizedcontent)
- [LocalUsersAndGroups/Configure](policy-csp-localusersandgroups.md#localusersandgroups-configure)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#mixedreality-aadgroupmembershipcachevalidityindays)
- [MixedReality/BrightnessButtonDisabled](policy-csp-mixedreality.md#mixedreality-brightnessbuttondisabled)
- [MixedReality/FallbackDiagnostics](policy-csp-mixedreality.md#mixedreality-fallbackdiagnostics)
- [MixedReality/MicrophoneDisabled](policy-csp-mixedreality.md#mixedreality-microphonedisabled)
- [MixedReality/VolumeButtonDisabled](policy-csp-mixedreality.md#mixedreality-volumebuttondisabled)
- [Multitasking/BrowserAltTabBlowout](policy-csp-multitasking.md#multitasking-browseralttabblowout) | -| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
- Properties/SleepMode | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
- Settings/AllowWindowsDefenderApplicationGuard | - -## What’s new in MDM for Windows 10, version 2004 - -| New or updated article | Description | -|-----|-----| -| [Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 2004:
- [ApplicationManagement/BlockNonAdminUserInstall](policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall)
- [Bluetooth/SetMinimumEncryptionKeySize](policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize)
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehostsource)
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxforegrounddownloadbandwidth)
- [Education/AllowGraphingCalculator](policy-csp-education.md#education-allowgraphingcalculator)
- [TextInput/ConfigureJapaneseIMEVersion](policy-csp-textinput.md#textinput-configurejapaneseimeversion)
- [TextInput/ConfigureSimplifiedChineseIMEVersion](policy-csp-textinput.md#textinput-configuresimplifiedchineseimeversion)
- [TextInput/ConfigureTraditionalChineseIMEVersion](policy-csp-textinput.md#textinput-configuretraditionalchineseimeversion)
Updated the following policy in Windows 10, version 2004:
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost)
Deprecated the following policies in Windows 10, version 2004:
- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) | -| [DevDetail CSP](devdetail-csp.md) | Added the following new node:
- Ext/Microsoft/DNSComputerName | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following new node:
- IsStub | -| [SUPL CSP](supl-csp.md) | Added the following new node:
- FullVersion | - -## What’s new in MDM for Windows 10, version 1909 - -| New or updated article | Description | -|-----|-----| -| [BitLocker CSP](bitlocker-csp.md) | Added the following new nodes in Windows 10, version 1909:
- ConfigureRecoveryPasswordRotation
- RotateRecoveryPasswords
- RotateRecoveryPasswordsStatus
- RotateRecoveryPasswordsRequestID| - -## What’s new in MDM for Windows 10, version 1903 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policies in Windows 10, version 1903:
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground)
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground)
- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope)
- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceinstanceids)
- [DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs](policy-csp-deviceinstallation.md#deviceinstallationpreventinstallationofmatchingdeviceinstanceids)
- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile)
- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar)
- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload)
- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview)
- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync)
- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation)
- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete)
- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage)
- [Power/EnergySaverBatteryThresholdOnBattery](policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/SelectLidCloseActionOnBattery](policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/TurnOffHybridSleepOnBattery](policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice)
- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock)
- [Search/AllowFindMyFiles](policy-csp-search.md#search-allowfindmyfiles)
- [ServiceControlManager/SvchostProcessMitigation](policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation)
- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline)
- [System/TurnOffFileHistory](policy-csp-system.md#system-turnofffilehistory)
- [TimeLanguageSettings/ConfigureTimeZone](policy-csp-timelanguagesettings.md#timelanguagesettings-configuretimezone)
- [Troubleshooting/AllowRecommendations](policy-csp-troubleshooting.md#troubleshooting-allowrecommendations)
- [Update/AutomaticMaintenanceWakeUp](policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod)
- [WindowsLogon/AllowAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/EnableFirstLogonAnimation](policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)| -| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. | -| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. | -| [Defender CSP](defender-csp.md) | Added the following new nodes:
- Health/TamperProtectionEnabled
- Health/IsVirtualMachine
- Configuration
- Configuration/TamperProtection
- Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
Added the new 1.4 version of the DDF.
Added the following new nodes:
- Policy
- Policy/Channels
- Policy/Channels/ChannelName
- Policy/Channels/ChannelName/MaximumFileSize
- Policy/Channels/ChannelName/SDDL
- Policy/Channels/ChannelName/ActionWhenFull
- Policy/Channels/ChannelName/Enabled
- DiagnosticArchive
- DiagnosticArchive/ArchiveDefinition
- DiagnosticArchive/ArchiveResults | -| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. | -| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
- SecurityKey
- SecurityKey/UseSecurityKeyForSignin | - - -## What’s new in MDM for Windows 10, version 1809 - -| New or updated article | Description | -|-----|-----| -|[Policy CSP](policy-configuration-service-provider.md) | Added the following new policy settings in Windows 10, version 1809:
- ApplicationManagement/LaunchAppAfterLogOn
- ApplicationManagement/ScheduleForceRestartForUpdateFailures
- Authentication/EnableFastFirstSignIn (Preview mode only)
- Authentication/EnableWebSignIn (Preview mode only)
- Authentication/PreferredAadTenantDomainName
- Browser/AllowFullScreenMode
- Browser/AllowPrelaunch
- Browser/AllowPrinting
- Browser/AllowSavingHistory
- Browser/AllowSideloadingOfExtensions
- Browser/AllowTabPreloading
- Browser/AllowWebContentOnNewTabPage
- Browser/ConfigureFavoritesBar
- Browser/ConfigureHomeButton
- Browser/ConfigureKioskMode
- Browser/ConfigureKioskResetAfterIdleTimeout
- Browser/ConfigureOpenMicrosoftEdgeWith
- Browser/ConfigureTelemetryForMicrosoft365Analytics
- Browser/PreventCertErrorOverrides
- Browser/SetHomeButtonURL
- Browser/SetNewTabPageURL
- Browser/UnlockHomeButton
- Defender/CheckForSignaturesBeforeRunningScan
- Defender/DisableCatchupFullScan
- Defender/DisableCatchupQuickScan
- Defender/EnableLowCPUPriority
- Defender/SignatureUpdateFallbackOrder
- Defender/SignatureUpdateFileSharesSources
- DeviceGuard/ConfigureSystemGuardLaunch
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
- DeviceInstallation/PreventDeviceMetadataFromNetwork
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
- DmaGuard/DeviceEnumerationPolicy
- Experience/AllowClipboardHistory
- Experience/DoNotSyncBrowserSettings
- Experience/PreventUsersFromTurningOnBrowserSyncing
- Kerberos/UPNNameHints
- Privacy/AllowCrossDeviceClipboard
- Privacy/DisablePrivacyExperience
- Privacy/UploadUserActivities
- Security/RecoveryEnvironmentAuthentication
- System/AllowDeviceNameInDiagnosticData
- System/ConfigureMicrosoft365UploadEndpoint
- System/DisableDeviceDelete
- System/DisableDiagnosticDataViewer
- Storage/RemovableDiskDenyWriteAccess
- TaskManager/AllowEndTask
- Update/DisableWUfBSafeguards
- Update/EngagedRestartDeadlineForFeatureUpdates
- Update/EngagedRestartSnoozeScheduleForFeatureUpdates
- Update/EngagedRestartTransitionScheduleForFeatureUpdates
- Update/SetDisablePauseUXAccess
- Update/SetDisableUXWUAccess
- WindowsDefenderSecurityCenter/DisableClearTpmButton
- WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
- WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
- WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption in Windows 10, version 1809. Added support for Windows 10 Pro. | -| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus in Windows 10, version 1809. | -| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber in Windows 10, version 1809. | -| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node in Windows 10, version 1809. | -| [Office CSP](office-csp.md) | Added FinalStatus setting in Windows 10, version 1809. | -| [PassportForWork CSP](passportforwork-csp.md) | Added new settings in Windows 10, version 1809. | -| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings in Windows 10, version 1809. | -| [SUPL CSP](supl-csp.md) | Added three new certificate nodes in Windows 10, version 1809. | -| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP in Windows 10, version 1809. | -| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost in Windows 10, version 1809. | -| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings in Windows 10, version 1809. | -| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples in Windows 10, version 1809. | -| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | Added new configuration service provider in Windows 10, version 1809. | - - ## Change history for MDM documentation To know what's changed in MDM documentation, see [Change history for MDM documentation](change-history-for-mdm-documentation.md). diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index d45249dffe..8379da3699 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -83,7 +83,8 @@ PassportForWork -------UseBiometrics -------Biometrics ----------UseBiometrics -----------FacialFeatureUse +----------FacialFeaturesUseEnhancedAntiSpoofing +----------EnableESSwithSupportedPeripherals -------DeviceUnlock ----------GroupA ----------GroupB @@ -150,6 +151,15 @@ If you disable or don't configure this policy setting, the PIN will be provision Supported operations are Add, Get, Delete, and Replace. +***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT) +Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources. + +If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain. + +If you disable or do not configure this policy setting, Windows Hello for Business will use a key or certificate to authenticate to on-premises resources. + +Supported operations are Add, Get, Delete, and Replace. + ***TenantId*/Policies/PINComplexity** Node for defining PIN settings. @@ -277,8 +287,6 @@ Boolean value used to enable or disable the use of biometric gestures, such as f Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. - - Supported operations are Add, Get, Delete, and Replace. *Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* @@ -296,6 +304,26 @@ Supported operations are Add, Get, Delete, and Replace. *Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).* +**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT) + +If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected. + +If you enable this policy it can have the following possible values: + +**0 - Enhanced Sign-in Security Disabled** (not recommended) + +Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again. + +**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security) + +Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello. + +If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1. + +Supported operations are Add, Get, Delete, and Replace. + +*Supported from Windows 11 version 22H2* + **DeviceUnlock** (only for ./Device/Vendor/MSFT) Added in Windows 10, version 1803. Interior node. @@ -542,7 +570,7 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol true -
./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
@@ -124,27 +124,27 @@ ADMX files that have been installed by using **ConfigOperations/ADMXInstall** ca
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/_AppName_**
-Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
+**Policy/ConfigOperations/ADMXInstall/_AppName_**
+Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
Supported operations are Add and Get. Does not support Delete.
-**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
Supported operations are Add, Get, and Delete.
-**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
+**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
Supported operations are Add and Get. Does not support Delete.
@@ -174,7 +174,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -279,7 +279,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -287,7 +287,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -304,7 +304,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -380,7 +380,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -391,7 +391,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -402,7 +402,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -419,7 +419,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -513,7 +513,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -527,7 +527,7 @@ Supported operations are Add and Get. Does not support Delete.
-
@@ -563,7 +563,7 @@ Supported operations are Add and Get. Does not support Delete.
- ADMX_CredSsp/RestrictedRemoteAdministration -### ADMX_CredUI policies +### ADMX_CredUI policies
- @@ -574,14 +574,14 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -710,7 +710,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -739,7 +739,7 @@ Supported operations are Add and Get. Does not support Delete.
- @@ -761,7 +761,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ### ADMX_DigitalLocker policies -
- ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1 @@ -818,7 +818,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
-### ADMX_DeviceInstallation policies
+### ADMX_DeviceInstallation policies
-
-### ADMX_DistributedLinkTracking policies
+### ADMX_DistributedLinkTracking policies
- @@ -920,7 +920,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -975,7 +975,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -998,7 +998,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1101,7 +1101,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1169,7 +1169,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
@@ -1182,7 +1182,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
ADMX_EventViewer/EventViewer_RedirectionURL
- -### ADMX_Explorer policies +### ADMX_Explorer policies
- @@ -1202,7 +1202,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1329,7 +1329,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1406,7 +1406,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1557,7 +1557,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1691,7 +1691,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1736,7 +1736,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1775,7 +1775,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -1825,7 +1825,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -2128,7 +2128,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -2472,7 +2472,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
-### ADMX_msched policies
+### ADMX_msched policies
- @@ -2483,7 +2483,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -2497,7 +2497,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -2744,7 +2744,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3058,7 +3058,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3138,7 +3138,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3184,7 +3184,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3268,7 +3268,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3300,7 +3300,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
@@ -3341,9 +3341,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- ADMX_Reliability/ShutdownReason
-
- @@ -3354,7 +3354,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3455,7 +3455,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3543,7 +3543,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3580,7 +3580,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3588,7 +3588,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3620,7 +3620,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3709,7 +3709,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3725,7 +3725,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3931,7 +3931,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -3950,7 +3950,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4021,7 +4021,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4166,25 +4166,25 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- ADMX_TerminalServer/TS_GATEWAY_POLICY_SERVER - +
-
-### ADMX_Logon policies
+### ADMX_Logon policies
-
-### ADMX_StartMenu policies
+### ADMX_StartMenu policies
-
-### ADMX_Taskbar policies
+### ADMX_Taskbar policies
- ADMX_TerminalServer/TS_JOIN_SESSION_DIRECTORY -
+ - -### ADMX_Explorer policies +### ADMX_Explorer policies
- ADMX_TerminalServer/TS_KEEP_ALIVE - +
- ADMX_CredSsp/RestrictedRemoteAdministration -### ADMX_CredUI policies +### ADMX_CredUI policies
- ADMX_TerminalServer/TS_LICENSE_SECGROUP - +
- ADMX_TerminalServer/TS_LICENSE_SERVERS - +
- ADMX_TerminalServer/TS_LICENSE_TOOLTIP - +
- ADMX_TerminalServer/TS_LICENSING_MODE - +
- ADMX_TerminalServer/TS_MAX_CON_POLICY @@ -4282,7 +4282,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC ADMX_TerminalServer/TS_SESSIONS_Disconnected_Timeout_2 ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_1 - +
- ADMX_TerminalServer/TS_SESSIONS_Idle_Limit_2 @@ -4330,15 +4330,15 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- ADMX_TerminalServer/TS_USER_PROFILES - +
- ADMX_Thumbnails/DisableThumbnails - +
- ADMX_Thumbnails/DisableThumbnailsOnNetworkFolders @@ -4352,7 +4352,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- ADMX_TouchInput/TouchInputOff_1 - +
- ADMX_TouchInput/TouchInputOff_2 @@ -4364,7 +4364,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4399,7 +4399,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4782,7 +4782,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4811,7 +4811,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4828,7 +4828,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4853,7 +4853,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4864,7 +4864,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -4879,7 +4879,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5097,7 +5097,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5105,7 +5105,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5173,7 +5173,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5184,7 +5185,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5204,7 +5205,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5218,7 +5219,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5249,7 +5250,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -5285,7 +5286,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
@@ -5337,8 +5338,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- ApplicationManagement/AllowSharedUserAppData
-- - ApplicationManagement/BlockNonAdminUserInstall +
- + ApplicationManagement/BlockNonAdminUserInstall
- ApplicationManagement/DisableStoreOriginatedApps @@ -5477,7 +5478,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -6303,6 +6304,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- + DesktopAppInstaller/EnableAdditionalSources + +
- + DesktopAppInstaller/EnableAppInstaller + +
- + DesktopAppInstaller/EnableDefaultSource + +
- + DesktopAppInstaller/EnableLocalManifestFiles + +
- + DesktopAppInstaller/EnableHashOverride + +
- + DesktopAppInstaller/EnableMicrosoftStoreSource + +
- + DesktopAppInstaller/EnableMSAppInstallerProtocol + +
- + DesktopAppInstaller/EnableSettings + +
- + DesktopAppInstaller/EnableAllowedSources + +
- + DesktopAppInstaller/EnableExperimentalFeatures + +
- + DesktopAppInstaller/SourceAutoUpdateInterval + +
- Experience/AllowSyncMySettings +
- + Experience/AllowSpotlightCollection +
- Experience/AllowTailoredExperiencesWithDiagnosticData @@ -7678,7 +7719,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- @@ -7738,7 +7779,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
@@ -7895,6 +7936,42 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
### Printers policies
-
+
- + Printers/ApprovedUsbPrintDevices + +
- + Printers/ApprovedUsbPrintDevicesUser + +
- + Printers/ConfigureCopyFilesPolicy + +
- + Printers/ConfigureDriverValidationLevel + +
- + Printers/ConfigureIppPageCountsPolicy + +
- + Printers/ConfigureRedirectionGuardPolicy + +
- + Printers/ConfigureRpcConnectionPolicy + +
- + Printers/ConfigureRpcListenerPolicy + +
- + Printers/ConfigureRpcTcpPort + +
- + Printers/EnableDeviceControl + +
- + Printers/EnableDeviceControlUser + +
- + Printers/ManageDriverExclusionList +
- Printers/PointAndPrintRestrictions @@ -7904,6 +7981,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Printers/PublishPrinters +
- + Printers/RestrictDriverInstallationToAdministrators +
- Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps - +
- Privacy/LetAppsAccessCalendar @@ -8360,6 +8440,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Search/DisableRemovableDriveIndexing +
- + Search/DisableSearch +
- Search/DoNotUseWebResults @@ -8515,6 +8598,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Start/DisableContextMenus +
- + Start/DisableControlCenter + +
- + Start/DisableEditingQuickSettings +
- Start/ForceStartSize @@ -8545,6 +8634,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Start/HideRecentlyAddedApps +
- + Start/HideRecommendedSection +
- Start/HideRestart @@ -8560,6 +8652,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Start/HideSwitchAccount +
- + Start/HideTaskViewButton +
- Start/HideUserTile @@ -8569,6 +8664,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Start/NoPinningToTaskbar +
- + Start/SimplifyQuickSettings +
- Start/StartLayout @@ -9045,11 +9143,11 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- Update/SetPolicyDrivenUpdateSourceForQuality -
-
- Update/SetProxyBehaviorForUpdateDetection
+
- + Update/SetProxyBehaviorForUpdateDetection
-- - Update/TargetReleaseVersion +
- + Update/TargetReleaseVersion
- @@ -9166,6 +9264,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
- + WebThreatDefense/EnableService + +
- + WebThreatDefense/NotifyMalicious + +
- + WebThreatDefense/NotifyPasswordReuse + +
- + WebThreatDefense/NotifyUnsafeApp + +
- WindowsLogon/EnableFirstLogonAnimation +
- + WindowsLogon/EnableMPRNotifications +
- WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers @@ -9324,7 +9442,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
@@ -9388,8 +9506,8 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
> Not all Policies in Policy CSP supported by Group Policy are ADMX-backed. For more details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
## Policies in Policy CSP supported by HoloLens devices
-- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md)
-- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
+- [Policies in Policy CSP supported by HoloLens 2](./policies-in-policy-csp-supported-by-hololens2.md)
+- [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](./policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
- [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](./policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
## Policies in Policy CSP supported by Windows 10 IoT
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 6c42ebfde5..172eeb0f4f 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -2105,17 +2105,17 @@ If you disable or don't configure this setting, security intelligence will be re
ADMX Info:
-- GP Friendly name: *Define security intelligence location for VDI clients*
+- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments*
- GP name: *SecurityIntelligenceLocation*
- GP element: *SecurityIntelligenceLocation*
-- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates*
+- GP path: *Windows Components/Microsoft Defender Antivirus/Windows Defender*
- GP ADMX file name: *WindowsDefender.admx*
- Empty string - no policy is set
-- Non-empty string - the policy is set and security intelligence is gathered from the location
+- Non-empty string - the policy is set and security intelligence is gathered from the location.
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
new file mode 100644
index 0000000000..f6ec4db880
--- /dev/null
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -0,0 +1,595 @@
+---
+title: Policy CSP - DesktopAppInstaller
+description: Learn about the Policy CSP - DesktopAppInstaller.
+ms.author: v-aljupudi
+ms.localizationpriority: medium
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: alekyaj
+ms.date: 08/24/2022
+ms.reviewer:
+manager: aaroncz
+---
+
+# Policy CSP - DesktopAppInstaller
+
+>[!TIP]
+> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+>
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+>
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+
+
+
+ + +## DesktopAppInstaller policies + +-
+
- + DesktopAppInstaller/EnableAdditionalSources + +
- + DesktopAppInstaller/EnableAppInstaller + +
- + DesktopAppInstaller/EnableDefaultSource + +
- + DesktopAppInstaller/EnableLocalManifestFiles + +
- + DesktopAppInstaller/EnableHashOverride + +
- + DesktopAppInstaller/EnableMicrosoftStoreSource + +
- + DesktopAppInstaller/EnableMSAppInstallerProtocol + +
- + DesktopAppInstaller/EnableSettings + +
- + DesktopAppInstaller/EnableAllowedSources + +
- + DesktopAppInstaller/EnableExperimentalFeatures + +
- + DesktopAppInstaller/SourceAutoUpdateInterval + +
+ + +**DesktopAppInstaller/EnableAdditionalSources** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/). + +If you don't configure this setting, no additional sources will be configured for Windows Package Manager. + +If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/). + +If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Additional Windows Package Manager Sources* +- GP name: *EnableAdditionalSources* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + + +**DesktopAppInstaller/EnableAppInstaller** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + +- If you enable or don't configure this setting, users will be able to use the Windows Package Manager. +- If you disable this setting, users won't be able to use the Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users* +- GP name: *EnableAppInstaller* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableDefaultSource** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls the default source included with the Windows Package Manager. +If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed. +- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed. +- If you disable this setting the default source for the Windows Package Manager won't be available. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Default Source* +- GP name: *EnableDefaultSource* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableLocalManifestFiles** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can install packages with local manifest files. + +- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. +- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Local Manifest Files* +- GP name: *EnableLocalManifestFiles* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + + + +**DesktopAppInstaller/EnableHashOverride** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest. + +- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings. + +- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings. + + + + +ADMX Info: +- GP Friendly name: *Enable App Installer Hash Override* +- GP name: *EnableHashOverride* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableMicrosoftStoreSource** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls the Microsoft Store source included with the Windows Package Manager. +If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. +- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed. +- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source* +- GP name: *EnableMicrosoftStoreSource* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableMSAppInstallerProtocol** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol. + +- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. + +- If you disable this setting, users will not be able to install packages from websites that use this protocol. + + + + +ADMX Info: +- GP Friendly name: *Enable MS App Installer Protocol* +- GP name: *EnableMSAppInstallerProtocol* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableSettings** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. + +- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager. +- If you disable this setting, users will not be able to change settings for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Settings Command* +- GP name: *EnableSettings* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableAllowedSources** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy. + +- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. +- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Settings Command* +- GP name: *EnableAllowedSources* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableExperimentalFeatures** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. + +- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager. + +- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Experimental Features* +- GP name: *EnableExperimentalFeatures* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/SourceAutoUpdateInterval** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. + +- If you enable this setting, the number of minutes specified will be used by Windows Package Manager. + +- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes* +- GP name: *SourceAutoUpdateInterval* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 80986cd431..baeea5bf25 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -50,6 +50,9 @@ manager: aaroncz- Experience/AllowSyncMySettings
+- + Experience/AllowSpotlightCollection +
- Experience/AllowTailoredExperiencesWithDiagnosticData
@@ -494,6 +497,50 @@ The following list shows the supported values:
+ +**Experience/AllowSpotlightCollection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy allows spotlight collection on the device. + +- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings. +- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop. + + + +The following list shows the supported values: + +- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop +- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft +- Default value: 1 + + + + +
+ **Experience/AllowTailoredExperiencesWithDiagnosticData** diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 5f49f1d40e..be7a776997 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -46,8 +46,13 @@ manager: aaroncz- FileExplorer/SetAllowedStorageLocations
+- + FileExplorer/DisableGraphRecentItems +
- + HumanPresence/ForceInstantDim +
- HumanPresence/ForceInstantLock @@ -33,6 +36,56 @@ manager: aaroncz
- InternetExplorer/EnableExtendedIEModeHotkeys +
- + InternetExplorer/EnableGlobalWindowListInIEMode + +
- + InternetExplorer/HideInternetExplorer11RetirementNotification +
- InternetExplorer/IncludeAllLocalSites @@ -612,6 +618,9 @@ manager: aaroncz
- InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls +
- + InternetExplorer/ResetZoomForDialogInIEMode +
- InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses @@ -4423,6 +4432,115 @@ ADMX Info: +
- Kerberos/PKInitHashAlgorithmConfiguration + +
- + Kerberos/PKInitHashAlgorithmSHA1 + +
- + Kerberos/PKInitHashAlgorithmSHA256 + +
- + Kerberos/PKInitHashAlgorithmSHA384 + +
- + Kerberos/PKInitHashAlgorithmSHA512
-
Kerberos/RequireKerberosArmoring
@@ -231,22 +243,20 @@ ADMX Info:
This policy setting controls hash or checksum algorithms used by the Kerberos client when performing certificate authentication.
-If you enable this policy, you'll be able to configure one of four states for each algorithm:
-
-* **Default**: This state sets the algorithm to the recommended state.
-* **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security.
-* **Audited**: This state enables usage of the algorithm and reports an event (ID 205) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled.
-* **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure.
+If you enable this policy, you'll be able to configure one of four states for each hash algorithm (SHA1, SHA256, SHA384, and SHA512) using their respective policies.
If you disable or don't configure this policy, each algorithm will assume the **Default** state.
+* 0 - **Disabled**
+* 1 - **Enabled**
+
More information about the hash and checksum algorithms supported by the Windows Kerberos client and their default states can be found https://go.microsoft.com/fwlink/?linkid=2169037.
ADMX Info:
-- GP Friendly name: *Introducing agility to PKINIT in Kerberos protocol*
+- GP Friendly name: *Configure Hash algorithms for certificate logon*
- GP name: *PKInitHashAlgorithmConfiguration*
- GP path: *System/Kerberos*
- GP ADMX file name: *Kerberos.admx*
@@ -256,6 +266,209 @@ ADMX Info:
+ +**Kerberos/PKInitHashAlgorithmSHA1** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting controls the configuration of the SHA1 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +* 1 - **Default**: This state sets the algorithm to the recommended state. +* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA1 algorithm will assume the **Default** state. + + + + +ADMX Info: +- GP Friendly name: *Configure Hash algorithms for certificate logon* +- GP name: *PKInitHashAlgorithmConfiguration* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/PKInitHashAlgorithmSHA256** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting controls the configuration of the SHA256 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +* 1 - **Default**: This state sets the algorithm to the recommended state. +* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA256 algorithm will assume the **Default** state. + + + + +ADMX Info: +- GP Friendly name: *Configure Hash algorithms for certificate logon* +- GP name: *PKInitHashAlgorithmConfiguration* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/PKInitHashAlgorithmSHA384** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting controls the configuration of the SHA384 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +* 1 - **Default**: This state sets the algorithm to the recommended state. +* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA384 algorithm will assume the **Default** state. + + + + +ADMX Info: +- GP Friendly name: *Configure Hash algorithms for certificate logon* +- GP name: *PKInitHashAlgorithmConfiguration* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +
+ + +**Kerberos/PKInitHashAlgorithmSHA512** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting controls the configuration of the SHA512 algorithm used by the Kerberos client when performing certificate authentication. This policy is only enforced if Kerberos/PKInitHashAlgorithmConfiguration is enabled. You can configure one of four states for this algorithm: + +* 0 - **Not Supported**: This state disables usage of the algorithm. This state is intended for algorithms that are deemed to be insecure. +* 1 - **Default**: This state sets the algorithm to the recommended state. +* 2 - **Audited**: This state enables usage of the algorithm and reports an event (ID 206) every time it's used. This state is intended to verify that the algorithm isn't being used and can be safely disabled. +* 3 - **Supported**: This state enables usage of the algorithm. Enabling algorithms that have been disabled by default may reduce your security. + +If you don't configure this policy, the SHA512 algorithm will assume the **Default** state. + + + + +ADMX Info: +- GP Friendly name: *Configure Hash algorithms for certificate logon* +- GP name: *PKInitHashAlgorithmConfiguration* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + +
+ **Kerberos/RequireKerberosArmoring** @@ -456,4 +669,4 @@ Devices joined to Azure Active Directory in a hybrid environment need to interac ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-lsa.md b/windows/client-management/mdm/policy-csp-lsa.md new file mode 100644 index 0000000000..a338134343 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-lsa.md @@ -0,0 +1,131 @@ +--- +title: Policy CSP - LocalSecurityAuthority +description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS). +ms.author: vinpa +author: vinaypamnani-msft +ms.reviewer: +manager: aaroncz +ms.topic: reference +ms.prod: windows-client +ms.technology: itpro-manage +ms.localizationpriority: medium +ms.date: 08/26/2022 +--- + +# Policy CSP - LocalSecurity Authority + + +
+ + +## LocalSecurityAuthority policies + +-
+
- + LocalSecurityAuthority/AllowCustomSSPsAPs + +
- + LocalSecurityAuthority/ConfigureLsaProtectedProcess + +
+ + +**LocalSecurityAuthority/AllowCustomSSPsAPs** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs). + +If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs. + +If you disable this policy setting, LSASS will block custom SSPs and APs from loading. + + + + +ADMX Info: +- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS* +- GP name: *AllowCustomSSPsAPs* +- GP path: *System/Local Security Authority* +- GP ADMX file name: *LocalSecurityAuthority.admx* + + + + +
+ + +**Kerberos/ConfigureLsaProtectedProcess** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process. + +If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process. + +If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable. + +If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable. + + + + +ADMX Info: +- GP Friendly name: *Configure LSASS to run as a protected process* +- GP name: *ConfigureLsaProtectedProcess* +- GP path: *System/Local Security Authority* +- GP ADMX file name: *LocalSecurityAuthority.admx* + + diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index bcce2e1390..b62689625c 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -27,12 +27,36 @@ manager: aaroncz- Printers/ApprovedUsbPrintDevicesUser
+- + Printers/ConfigureCopyFilesPolicy +
+- + Printers/ConfigureDriverValidationLevel +
+- + Printers/ConfigureIppPageCountsPolicy +
+- + Printers/ConfigureRedirectionGuardPolicy +
+- + Printers/ConfigureRpcConnectionPolicy +
+- + Printers/ConfigureRpcListenerPolicy +
+- + Printers/ConfigureRpcTcpPort +
- Printers/EnableDeviceControl
- Printers/EnableDeviceControlUser
+- + Printers/ManageDriverExclusionList +
- Printers/PointAndPrintRestrictions
@@ -42,6 +66,9 @@ manager: aaroncz- Printers/PublishPrinters
+- + Printers/RestrictDriverInstallationToAdministrators +
-
+
- + RemoteDesktopServices/DoNotAllowWebAuthnRedirection +
RemoteDesktopServices/PromptForPasswordUponConnection -
@@ -130,7 +133,7 @@ ADMX Info:
-Specifies whether it require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
+Specifies whether it requires the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you're using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) isn't recommended. This policy doesn't apply to SSL encryption.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:
@@ -257,6 +260,56 @@ ADMX Info:
+ +**RemoteDesktopServices/DoNotAllowWebAuthnRedirection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting lets you control the redirection of web authentication (WebAuthn) requests from a Remote Desktop session to the local device. This redirection enables users to authenticate to resources inside the Remote Desktop session using their local authenticator (e.g., Windows Hello for Business, security key, or other). + +By default, Remote Desktop allows redirection of WebAuthn requests. + +If you enable this policy setting, users can’t use their local authenticator inside the Remote Desktop session. + +If you disable or do not configure this policy setting, users can use local authenticators inside the Remote Desktop session. + +If you don't configure this policy setting, users can use local authenticators inside the Remote Desktop session. + + + +ADMX Info: +- GP Friendly name: *Do not allow WebAuthn redirection* +- GP name: *TS_WEBAUTHN* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* +- GP ADMX file name: *terminalserver.admx* + + + + +
+ **RemoteDesktopServices/PromptForPasswordUponConnection** @@ -367,4 +420,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 60777e520f..6f50b43ffa 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -8,7 +8,7 @@ ms.technology: windows author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 02/12/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -18,7 +18,7 @@ manager: aaroncz
-## Search policies +## Search policies-
@@ -57,6 +57,9 @@ manager: aaroncz
- Search/DisableRemovableDriveIndexing
+- + Search/DisableSearch +
- Search/DoNotUseWebResults
@@ -72,7 +75,7 @@ manager: aaroncz
-**Search/AllowCloudSearch** +**Search/AllowCloudSearch** @@ -102,7 +105,7 @@ Allow Search and Cortana to search cloud sources like OneDrive and SharePoint. T -ADMX Info: +ADMX Info: - GP Friendly name: *Allow Cloud Search* - GP name: *AllowCloudSearch* - GP element: *AllowCloudSearch_Dropdown* @@ -122,7 +125,7 @@ The following list shows the supported values:
-**Search/AllowCortanaInAAD** +**Search/AllowCortanaInAAD** @@ -152,7 +155,7 @@ This policy allows the cortana opt-in page during windows setup out of the box e -ADMX Info: +ADMX Info: - GP Friendly name: *Allow Cloud Search* - GP name: *AllowCortanaInAAD* - GP element: *AllowCloudSearch_Dropdown* @@ -171,7 +174,7 @@ This value is a simple boolean value, default false, that can be set by MDM poli
-**Search/AllowFindMyFiles** +**Search/AllowFindMyFiles** @@ -201,7 +204,7 @@ Controls if the user can configure search to Find My Files mode, which searches -ADMX Info: +ADMX Info: - GP Friendly name: *Allow Find My Files* - GP name: *AllowFindMyFiles* - GP path: *Computer Configuration/Administrative Templates/Windows Components/Search* @@ -209,7 +212,7 @@ ADMX Info: -The following list shows the supported values: +The following list shows the supported values: - 1 (Default) - Find My Files feature can be toggled (still off by default), and the settings UI is present. - 0 - Find My Files feature is turned off completely, and the settings UI is disabled. @@ -226,7 +229,7 @@ The following list shows the supported values:
-**Search/AllowIndexingEncryptedStoresOrItems** +**Search/AllowIndexingEncryptedStoresOrItems** @@ -262,7 +265,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP Friendly name: *Allow indexing of encrypted files* - GP name: *AllowIndexingEncryptedStoresOrItems* - GP path: *Windows Components/Search* @@ -281,7 +284,7 @@ The following list shows the supported values:
-**Search/AllowSearchToUseLocation** +**Search/AllowSearchToUseLocation** @@ -313,7 +316,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP Friendly name: *Allow search and Cortana to use location* - GP name: *AllowSearchToUseLocation* - GP path: *Windows Components/Search* @@ -332,7 +335,7 @@ The following list shows the supported values:
-**Search/AllowSearchHighlights** +**Search/AllowSearchHighlights** @@ -361,11 +364,11 @@ The following list shows the supported values: This policy controls whether search highlights are shown in the search box or in search home. - If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home. -- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home. +- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home. -ADMX Info: +ADMX Info: - GP Friendly name: *Allow search and highlights* - GP name: *AllowSearchHighlights* - GP path: *Windows Components/Search* @@ -375,15 +378,13 @@ ADMX Info: The following list shows the supported values in Windows 10: -- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. - -- Disabled – Disabling this setting turns off search highlights in the taskbar search box and in search home. +- 1 (default) - Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home. +- 0 - Disabling this setting turns off search highlights in the taskbar search box and in search home. The following list shows the supported values in Windows 11: -- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. - -- Disabled – Disabling this setting turns off search highlights in the start menu search box and in search home. +- 1 (default) - Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home. +- 0 - Disabling this setting turns off search highlights in the start menu search box and in search home. @@ -391,7 +392,7 @@ The following list shows the supported values in Windows 11:
-**Search/AllowStoringImagesFromVisionSearch** +**Search/AllowStoringImagesFromVisionSearch** This policy has been deprecated. @@ -402,7 +403,7 @@ This policy has been deprecated.
-**Search/AllowUsingDiacritics** +**Search/AllowUsingDiacritics** @@ -434,7 +435,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP Friendly name: *Allow use of diacritics* - GP name: *AllowUsingDiacritics* - GP path: *Windows Components/Search* @@ -453,7 +454,7 @@ The following list shows the supported values:
-**Search/AllowWindowsIndexer** +**Search/AllowWindowsIndexer** @@ -487,7 +488,7 @@ Allow Windows indexer. Supported value type is integer.
-**Search/AlwaysUseAutoLangDetection** +**Search/AlwaysUseAutoLangDetection** @@ -519,7 +520,7 @@ Most restricted value is 0. -ADMX Info: +ADMX Info: - GP Friendly name: *Always use automatic language detection when indexing content and properties* - GP name: *AlwaysUseAutoLangDetection* - GP path: *Windows Components/Search* @@ -538,7 +539,7 @@ The following list shows the supported values:
-**Search/DisableBackoff** +**Search/DisableBackoff** @@ -568,7 +569,7 @@ If enabled, the search indexer backoff feature will be disabled. Indexing will c -ADMX Info: +ADMX Info: - GP Friendly name: *Disable indexer backoff* - GP name: *DisableBackoff* - GP path: *Windows Components/Search* @@ -587,7 +588,7 @@ The following list shows the supported values:
-**Search/DisableRemovableDriveIndexing** +**Search/DisableRemovableDriveIndexing** @@ -621,7 +622,7 @@ If you disable or don't configure this policy setting, locations on removable dr -ADMX Info: +ADMX Info: - GP Friendly name: *Do not allow locations on removable drives to be added to libraries* - GP name: *DisableRemovableDriveIndexing* - GP path: *Windows Components/Search* @@ -640,7 +641,58 @@ The following list shows the supported values:
-**Search/DoNotUseWebResults** +**Search/DisableSearch** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Windows SE|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +
+ + + +This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures. + +It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box. + + + +ADMX Info: + +- GP Friendly name: *Fully disable Search UI* +- GP name: *DisableSearch* +- GP path: *Windows Components/Search* +- GP ADMX file name: *Search.admx* + + + +The following list shows the supported values: + +- 0 (default) – Do not disable search. +- 1 – Disable search. + + + + +
+ + +**Search/DoNotUseWebResults** @@ -676,7 +728,7 @@ This policy setting allows you to control whether or not Search can perform quer -ADMX Info: +ADMX Info: - GP Friendly name: *Don't search the web or display web results in Search* - GP name: *DoNotUseWebResults* - GP path: *Windows Components/Search* @@ -695,7 +747,7 @@ The following list shows the supported values:
-**Search/PreventIndexingLowDiskSpaceMB** +**Search/PreventIndexingLowDiskSpaceMB** @@ -729,7 +781,7 @@ When this policy is disabled or not configured, Windows Desktop Search automatic -ADMX Info: +ADMX Info: - GP Friendly name: *Stop indexing in the event of limited hard drive space* - GP name: *StopIndexingOnLimitedHardDriveSpace* - GP path: *Windows Components/Search* @@ -748,7 +800,7 @@ The following list shows the supported values:
-**Search/PreventRemoteQueries** +**Search/PreventRemoteQueries** @@ -774,11 +826,11 @@ The following list shows the supported values: -If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.. +If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index. -ADMX Info: +ADMX Info: - GP Friendly name: *Prevent clients from querying the index remotely* - GP name: *PreventRemoteQueries* - GP path: *Windows Components/Search* diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index e794d81f7b..faf949f902 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -56,6 +56,12 @@ manager: aaroncz- Start/DisableContextMenus
+- + Start/DisableControlCenter +
+- + Start/DisableEditingQuickSettings +
- Start/ForceStartSize
@@ -86,6 +92,9 @@ manager: aaroncz- Start/HideRecentlyAddedApps
+- + Start/HideRecommendedSection +
- Start/HideRestart
@@ -101,6 +110,9 @@ manager: aaroncz- Start/HideSwitchAccount
+- + Start/HideTaskViewButton +
- Start/HideUserTile
@@ -113,6 +125,9 @@ manager: aaroncz- Start/ShowOrHideMostUsedApps
+- + Start/SimplifyQuickSettings +
- Start/StartLayout
@@ -665,6 +680,100 @@ The following list shows the supported values: +
+ + +**Start/DisableControlCenter** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume. + +If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled. + +>[!Note] +> A reboot is required for this policy setting to take effect. + + + + +ADMX Info: +- GP Friendly name: *Remove control center* +- GP name: *DisableControlCenter* +- GP path: *Start Menu and Taskbar* +- GP ADMX file name: *Taskbar.admx* + + + +The following are the supported values: + +- Integer 0 - Disabled/Not configured. +- Integer 1 - Enabled. + + + +
+ + +**Start/DisableEditingQuickSettings** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will allow admins to indicate whether Quick Actions can be edited by the user. + + + +The following are the supported values: + +- 0: Allow editing Quick Actions (default) +- 1: Disable editing Quick Actions + + +
@@ -1208,6 +1317,47 @@ To validate on Desktop, do the following steps:
+ +**Start/HideRecommendedSection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This policy allows you to hide the Start Menu's Recommended section when enabled. + + + +The following are the supported values: + +- 0 (default): Do not hide the Start menu's Recommended section. +- 1: Hide the Start menu's Recommended section. + + + +
+ **Start/HideRestart** @@ -1453,6 +1603,48 @@ To validate on Desktop, do the following steps:
+ +**Start/HideTaskViewButton** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app. + + + +The following are the supported values: + +- 0 (default): Do not hide the Taskbar's Task View button. +- 1: Hide the Taskbar's Task View button. + + + + +
+ **Start/HideUserTile** @@ -1622,38 +1814,15 @@ To validate on Desktop, do the following steps: **Start/ShowOrHideMostUsedApps** --
+ +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes|- -Edition -Windows 10 -Windows 11 -- -Home -No -No -- -Pro -Yes -Yes -- -Business -Yes -Yes -- -Enterprise -Yes -Yes -- -Education -Yes -Yes -
@@ -1686,6 +1855,47 @@ On clean install, the user setting defaults to "hide".
+ +**Start/SimplifyQuickSettings** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded. + + + +The following are the supported values: + +- 0: load regular Quick Actions layout. +- 1: load simplified Quick Actions layout. + + + + +
+ **Start/StartLayout** @@ -1746,4 +1956,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 26dfc16e2f..e056057f7a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -138,6 +138,9 @@ ms.collection: highpri - Update/ManagePreviewBuilds + +
- + Update/NoUpdateNotificationDuringActiveHours
-
Update/PauseDeferrals
@@ -2382,6 +2385,55 @@ The following list shows the supported values:
+ +**Update/NoUpdateNotificationDuringActiveHours** + + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy can be used in conjunction with Update/ActiveHoursStart and Update/ActiveHoursEnd policies to ensure that the end user sees no update notifications during active hours until deadline is reached. Note - if no active hour period is configured then this will apply to the intelligent active hours window calculated on the device. + +Supported value type is a boolean. + +0 (Default) This configuration will provide the default behavior (notifications may display during active hours) +1: This setting will prevent notifications from displaying during active hours. + + + +ADMX Info: +- GP Friendly name: *Display options for update notifications* +- GP name: *NoUpdateNotificationDuringActiveHours* +- GP element: *NoUpdateNotificationDuringActiveHours* +- GP path: *Windows Components\WindowsUpdate\Manage end user experience* +- GP ADMX file name: *WindowsUpdate.admx* + + + +
+ + **Update/PauseDeferrals** diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md new file mode 100644 index 0000000000..5dc80b41a1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md @@ -0,0 +1,233 @@ +--- +title: Policy CSP - WebThreatDefense +description: Learn about the Policy CSP - WebThreatDefense. +ms.author: v-aljupudi +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: alekyaj +ms.localizationpriority: medium +ms.date: 09/27/2019 +ms.reviewer: +manager: aaroncz +--- + +# Policy CSP - WebThreatDefense + + +
+ + +## WebThreatDefense policies + +-
+
- + WebThreatDefense/EnableService + +
- + WebThreatDefense/NotifyMalicious + +
- + WebThreatDefense/NotifyPasswordReuse + +
- + WebThreatDefense/NotifyUnsafeApp + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender. + +If you enable this policy setting or don’t configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off. + +If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on. + + + +ADMX Info: +- GP Friendly name: *Configure Web Threat Defense* +- GP name: *EnableWebThreatDefenseService* +- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections* +- GP ADMX file name: *WebThreatDefense.admx* + + + +The following list shows the supported values: + +- 0: Turns off Enhanced Phishing Protection. +- 1: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users. + + + + + +
+ + +**WebThreatDefense/NotifyMalicious** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Windows SE|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. + +If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password. + +If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above. + + + +The following list shows the supported values: + +- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. +- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. + + + +
+ + +**WebThreatDefense/NotifyPasswordReuse** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Windows SE|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password. + +If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it. + +If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password. + + + +The following list shows the supported values: + +- 0: Turns off Enhanced Phishing Protection notifications when users reuse their work or school password. +- 1: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. + + + + +
+ + +**WebThreatDefense/NotifyUnsafeApp** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Windows SE|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc. + +If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps. + +If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps. + + +The following list shows the supported values: + +- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc. +- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps. + + + +
+ +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md index bb762016fc..0bc134a4cc 100644 --- a/windows/client-management/mdm/policy-csp-windowslogon.md +++ b/windows/client-management/mdm/policy-csp-windowslogon.md @@ -35,6 +35,9 @@ manager: aaroncz- WindowsLogon/EnableFirstLogonAnimation
+- + WindowsLogon/EnableMPRNotifications +
- WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers
@@ -362,6 +365,52 @@ Supported values:
+ +**WindowsLogon/EnableMPRNotifications** + + +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy allows winlogon to send MPR notifications in the system if a credential manager is configured. + +If you disable (0), MPR notifications will not be sent by winlogon. + +If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon. + + + +Supported values: + +- 0 - disabled +- 1 (default)- enabled + + + + +
+ **WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers** diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md index f3891cb68f..1c50ab927a 100644 --- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md +++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md @@ -128,7 +128,7 @@ This policy setting allows you to turn off discovering the display service adver The following list shows the supported values: -- 0 - Don't allow +- 0 - Doesn't allow - 1 - Allow @@ -166,9 +166,9 @@ The table below shows the applicability of Windows: This policy setting allows you to disable the infrastructure movement detection feature. -If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you're projecting over infrastructure. +- If you set it to 0, your PC may stay connected and continue to project if you walk away from a Wireless Display receiver to which you are projecting over infrastructure. -If you set it to 1, your PC will detect that you've moved and will automatically disconnect your infrastructure Wireless Display session. +- If you set it to 1, your PC will detect that you have moved and will automatically disconnect your infrastructure Wireless Display session. The default value is 1. @@ -177,7 +177,7 @@ The default value is 1. The following list shows the supported values: -- 0 - Don't allow +- 0 - Doesn't allow - 1 (Default) - Allow diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md index 2f16f647de..dcc9b9b0f9 100644 --- a/windows/client-management/mdm/secureassessment-csp.md +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -32,6 +32,10 @@ The following example shows the SecureAssessment configuration service provider SecureAssessment ----LaunchURI ----TesterAccount +----AllowScreenMonitoring +----RequirePrinting +----AllowTextSuggestions +----Assessments ``` **./Vendor/MSFT/SecureAssessment** The root node for the SecureAssessment configuration service provider. @@ -67,9 +71,63 @@ Added in Windows 10, version 1703. Boolean value that indicates whether keyboard Supported operations are Get and Replace. +**Assessments** +Added in Windows 11, version 22H2. Enables support for multiple assessments. When configured, users can select from a list of assessments. The node accepts an XML string that represents the list of available assessments. + +Supported operations are Add, Delete, Get and Replace. + +XML schema + +```xml ++ +``` + ## Related topics -[Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) +[Set up Take a Test](/education/windows/take-a-test-multiple-pcs) [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index 1e4509043f..84c80b01df 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,14 +1,14 @@ --- title: SharedPC CSP description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: w10 ms.technology: windows author: vinaypamnani-msft -ms.date: 01/16/2019 +ms.date: 09/23/2022 --- # SharedPC CSP @@ -31,6 +31,7 @@ The following example shows the SharedPC configuration service provider manageme ./Vendor/MSFT SharedPC ----EnableSharedPCMode +----EnableSharedPCModeWithOneDriveSync ----SetEduPolicies ----SetPowerPolicies ----MaintenanceStartTime @@ -47,12 +48,12 @@ SharedPC ----InactiveThreshold ----MaxPageFileSizeMB ``` -**./Vendor/MSFT/SharedPC** +**./Vendor/MSFT/SharedPC** The root node for the SharedPC configuration service provider. The supported operation is Get. -**EnableSharedPCMode** +**EnableSharedPCMode** A boolean value that specifies whether Shared PC mode is enabled. The supported operations are Add, Get, Replace, and Delete. @@ -61,71 +62,60 @@ Setting this value to True triggers the action to configure a device to Shared P The default value is Not Configured and SharedPC mode is not enabled. -**SetEduPolicies** +**EnableSharedPCModeWithOneDriveSync** +Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on. + +The supported operations are Add, Get, Replace, and Delete. + +The default value is false. + +**SetEduPolicies** A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment. The supported operations are Add, Get, Replace, and Delete. -The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. +The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured. -**SetPowerPolicies** +**SetPowerPolicies** Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True. -**MaintenanceStartTime** +**MaintenanceStartTime** Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM). -**SignInOnResume** +**SignInOnResume** Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is True. -**SleepTimeout** -The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. - -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. +**SleepTimeout** +The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600. -**EnableAccountManager** +**EnableAccountManager** A boolean that enables the account manager for shared PC mode. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The supported operations are Add, Get, Replace, and Delete. The default value is Not Configured and its value in the SharedPC provisioning package is True. -**AccountModel** +**AccountModel** Configures which type of accounts are allowed to use the PC. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The supported operations are Add, Get, Replace, and Delete. The following list shows the supported values: @@ -136,12 +126,9 @@ The following list shows the supported values: Its value in the SharedPC provisioning package is 1 or 2. -**DeletionPolicy** +**DeletionPolicy** Configures when accounts are deleted. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The supported operations are Add, Get, Replace, and Delete. For Windows 10, version 1607, here's the list shows the supported values: @@ -149,7 +136,7 @@ For Windows 10, version 1607, here's the list shows the supported values: - 0 - Delete immediately. - 1 (default) - Delete at disk space threshold. -For Windows 10, version 1703, here's the list of supported values: +For Windows 10, version 1703, here's the list of supported values: - 0 - Delete immediately. - 1 - Delete at disk space threshold. @@ -157,72 +144,54 @@ For Windows 10, version 1703, here's the list of supported values: The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2. -**DiskLevelDeletion** +**DiskLevelDeletion** Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first. -> [!NOTE] -> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. - The default value is Not Configured. Its default value in the SharedPC provisioning package is 25. For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a daily maintenance period, accounts will be deleted (oldest last used first) when the system is idle until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under half of the deletion threshold and disk space is low, regardless of whether the PC is actively in use or not. The supported operations are Add, Get, Replace, and Delete. -**DiskLevelCaching** +**DiskLevelCaching** Sets the percentage of available disk space a PC should have before it stops deleting cached accounts. -> [!NOTE] -> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. - The default value is Not Configured. The default value in the SharedPC provisioning package is 25. For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately on signing out from an account if free space is under the deletion threshold and disk space is low, regardless whether the PC is actively in use or not. The supported operations are Add, Get, Replace, and Delete. -**RestrictLocalStorage** -Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. +**RestrictLocalStorage** +Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False. -> [!NOTE] -> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. +**KioskModeAUMID** +Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. -**KioskModeAUMID** -Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. +- Value type is string. +- Supported operations are Add, Get, Replace, and Delete. -- Value type is string. -- Supported operations are Add, Get, Replace, and Delete. +**KioskModeUserTileDisplayText** +Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. -> [!NOTE] -> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. +Value type is string. Supported operations are Add, Get, Replace, and Delete. -**KioskModeUserTileDisplayText** -Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional. - -Value type is string. Supported operations are Add, Get, Replace, and Delete. - -> [!NOTE] -> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. - -**InactiveThreshold** +**InactiveThreshold** Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days. -- The default value is Not Configured. -- Value type is integer. +- The default value is Not Configured. +- Value type is integer. - Supported operations are Add, Get, Replace, and Delete. The default in the SharedPC provisioning package is 30. -**MaxPageFileSizeMB** -Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. +**MaxPageFileSizeMB** +Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional. -> [!NOTE] -> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. - -- Default value is Not Configured. -- Value type is integer. +- Default value is Not Configured. +- Value type is integer. - Supported operations are Add, Get, Replace, and Delete. The default in the SharedPC provisioning package is 1024. diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 1eb414317a..75667401c6 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -1,7 +1,7 @@ --- title: SharedPC DDF file description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -70,6 +70,32 @@ The XML below is the DDF for Windows 10, version 1703.+ ++ +English exam +https://contoso.com/english ++ +Math exam +https://contoso.com/math ++ +Geography exam +https://contoso.com/geography +
-
@@ -57,6 +57,9 @@ manager: aaroncz
-
-### ADMX_Thumbnails policies
+### ADMX_Thumbnails policies
-
-### ADMX_WinCal policies
+### ADMX_WinCal policies
-
-### ADMX_WPN policies
+### ADMX_WPN policies
-
+
-
@@ -6550,6 +6588,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
-
+
-
@@ -9308,6 +9423,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
@@ -276,10 +281,10 @@ This policy configures the folders that the user can enumerate and access in the The following list shows the supported values: - 0: All folders -- 15:Desktop, Documents, Pictures, and Downloads -- 31:Desktop, Documents, Pictures, Downloads, and Network -- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads -- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network +- 15: Desktop, Documents, Pictures, and Downloads +- 31: Desktop, Documents, Pictures, Downloads, and Network +- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads +- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network @@ -331,7 +336,7 @@ This policy configures the folders that the user can enumerate and access in the The following list shows the supported values: -- 0: all storage locations +- 0: All storage locations - 1: Removable Drives - 2: Sync roots - 3: Removable Drives, Sync roots, local drive @@ -350,9 +355,62 @@ ADMX Info:
+ +**FileExplorer/DisableGraphRecentItems** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Windows SE|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + + +This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer. + + + + +The following list shows the supported values: + +- 0: Files from Office.com will display in the Home node +- 1: No files from Office.com will be retrieved or displayed + + + + +ADMX Info: +- GP Friendly name: *Turn off files from Office.com in Quick access view* +- GP name: *DisableGraphRecentItems* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index df30b8f920..d1a49971c5 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -20,6 +20,9 @@ manager: aaroncz ## HumanPresence policies
-
+
+ +**HumanPresence/ForceInstantDim** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge. + + + +ADMX Info: +- GP Friendly name: *Force Instant Dim* +- GP name: *ForceInstantDim* +- GP path: *Windows Components/Human Presence* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + + +
+ **HumanPresence/ForceInstantLock** diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index ef76b0c2fb..c92b313661 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -213,6 +213,12 @@ manager: aaroncz
+ + +**InternetExplorer/EnableGlobalWindowListInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This setting allows Internet Explorer mode to use the global window list that enables sharing state with other applications. +The setting will take effect only when Internet Explorer 11 is disabled as a standalone browser. + +- If you enable this policy, Internet Explorer mode will use the global window list. + +- If you disable or don’t configure this policy, Internet Explorer mode will continue to maintain a separate window list. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Enable global window list in Internet Explorer mode* +- GP name: *EnableGlobalWindowListInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ + +**InternetExplorer/HideInternetExplorer11RetirementNotification** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|No| +|Windows SE|No|No| +|Business|Yes|No| +|Enterprise|Yes|No| +|Education|Yes|No| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting allows you to manage whether the notification bar reminder that Internet Explorer is being retired is displayed. By default, the Notification bar is displayed in Internet Explorer 11. + +- If you enable this policy setting, the notification bar will not be displayed in Internet Explorer 11. + +- If you disable, or do not configure, this policy setting, the notification bar will be displayed in Internet Explorer 11. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Hide Internet Explorer 11 retirement notification* +- GP name: *DisableIEAppDeprecationNotification* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + +
**InternetExplorer/IncludeAllLocalSites** @@ -11161,6 +11279,60 @@ ADMX Info:
+ +**InternetExplorer/ResetZoomForDialogInIEMode** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting lets admins reset zoom to default for HTML dialogs in Internet Explorer mode. + +- If you enable this policy, the zoom of an HTML dialog in Internet Explorer mode will not get propagated from its parent page. + +- If you disable, or don't configure this policy, the zoom of an HTML dialog in Internet Explorer mode will be set based on the zoom of it's parent page. + + + +The following list shows the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + +ADMX Info: +- GP Friendly name: *Reset zoom to default for HTML dialogs in Internet Explorer mode* +- GP name: *ResetZoomForDialogInIEMode* +- GP path: *Windows Components/Internet Explorer/Main* +- GP ADMX file name: *inetres.admx* + + + + +
+ **InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses** diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md index 0e1fdaeb77..3c77cc2e2c 100644 --- a/windows/client-management/mdm/policy-csp-kerberos.md +++ b/windows/client-management/mdm/policy-csp-kerberos.md @@ -31,6 +31,18 @@ manager: aaroncz
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
@@ -109,7 +112,6 @@ These requirements include restricting printing to USB connected printers that m This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled. The format of this setting is `
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
@@ -194,42 +172,423 @@ ADMX Info:
+ +**Printers/ConfigureCopyFilesPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate. + +If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. + +The following are the supported values: + +Type: DWORD. Defaults to 1. + +- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections. +- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value. +- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections. + + + + +ADMX Info: +- GP Friendly name: *Manage processing of Queue-specific files* +- GP name: *ConfigureCopyFilesPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/ConfigureDriverValidationLevel** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate. + +If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. + +The following are the supported values: + +Type: DWORD. Defaults to 4. + +- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer. +- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer. +- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL). +- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store. +- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer. + + + +ADMX Info: +- GP Friendly name: *Manage Print Driver signature validation* +- GP name: *ConfigureDriverValidationLevel* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/ConfigureIppPageCountsPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary. + +If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs. + +The following are the supported values: + +AlwaysSendIppPageCounts: DWORD. Defaults to 0. + +- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**. +- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs. + + + + +ADMX Info: +- GP Friendly name: *Always send job page count information for IPP printers* +- GP name: *ConfigureIppPageCountsPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/ConfigureRedirectionGuardPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used. + +If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly. + +The following are the supported values: + +Type: DWORD, defaults to 1. + +- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process. +- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used. +- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled. + + + + +ADMX Info: +- GP Friendly name: *Configure Redirection Guard* +- GP name: *ConfigureRedirectionGuardPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/ConfigureRpcConnectionPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack. + +There are 2 values which can be configured: + +- RpcUseNamedPipeProtocol DWORD + - 0: RpcOverTcp (default) + - 1: RpcOverNamedPipes +- RpcAuthentication DWORD + - 0: RpcConnectionAuthenticationDefault (default) + - 1: RpcConnectionAuthenticationEnabled + - 2: RpcConnectionAuthenticationDisabled + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines. + +If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly. + +The following are the supported values: + +- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines. +- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication. + + + + +ADMX Info: +- GP Friendly name: *Configure RPC connection settings* +- GP name: *ConfigureRpcConnectionPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/ConfigureRpcListenerPolicy** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack. + +There are 2 values which can be configured: +- RpcProtocols DWORD + - 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes + - 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default) + - 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP +- ForceKerberosForRpc DWORD + - 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support + - 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*. + +If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. + +The following are the supported values: + +- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol. +- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use. + + + + +ADMX Info: +- GP Friendly name: *Configure RPC listener settings* +- GP name: *ConfigureRpcListenerPolicy* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/ConfigureRpcTcpPort** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack. + +- RpcTcpPort DWORD + - 0: Use dynamic TCP ports for RPC over TCP (default). + - 1-65535: Use the given port for RPC over TCP. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*. + +If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly. + +The following are the supported values: + +- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP. +- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP. + + + + +ADMX Info: +- GP Friendly name: *Configure RPC over TCP port* +- GP name: *ConfigureRpcTcpPort* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ **Printers/EnableDeviceControl** -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
@@ -274,38 +633,14 @@ ADMX Info: **Printers/EnableDeviceControlUser** -
| Edition | -Windows 10 | -Windows 11 | -
|---|---|---|
| Home | -No | -No | -
| Pro | -Yes | -Yes | -
| Business | -Yes | -Yes | -
| Enterprise | -Yes | -Yes | -
| Education | -Yes | -Yes | -
@@ -345,6 +680,62 @@ ADMX Info:
+ +**Printers/ManageDriverExclusionList** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update. + +The default value of the policy will be Unconfigured. + +If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list. + +If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value. + +The following are the supported values: + +Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` + +Type: REG_SZ +Value Name: Hash of excluded file +Value Data: Name of excluded file + + + + +ADMX Info: +- GP Friendly name: *Manage Print Driver exclusion list* +- GP name: *ManageDriverExclusionList* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ **Printers/PointAndPrintRestrictions** @@ -548,6 +939,61 @@ ADMX Info:
+ +**Printers/RestrictDriverInstallationToAdministrators** + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|No|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users. + +This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup. + +The default value of the policy will be Unconfigured. + +If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer. + +If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer. + +The following are the supported values: + +- Not configured or Enabled - Only administrators can install print drivers on the computer. +- Disabled - Standard users are allowed to install print drivers on the computer. + + + + +ADMX Info: +- GP Friendly name: *Restrict installation of print drivers to Administrators* +- GP name: *RestrictDriverInstallationToAdministrators* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ ## Related topics diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 09f3f50725..5d03cb7066 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -33,6 +33,9 @@ manager: aaroncz RemoteDesktopServices/DoNotAllowPasswordSaving
- -
-
- **Figure 2. The “Who owns this PC?” page in initial Windows 10 setup**
-
-2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 3**.- -
-
- **Figure 3. The “Choose how you’ll connect” page in initial Windows 10 setup**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 4**.- -
-
- **Figure 4. The “Let’s get you signed in” page in initial Windows 10 setup**
-
-Now the device is Azure AD–joined to the company’s subscription.
-
-**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 installed and set up**
-
->[!IMPORTANT]
->Make sure that the user you're signing in with is **not** a BUILTIN/Administrator. That user cannot use the `+ Connect` button to join a work or school account.
-
-1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 5**.- -
-
- **Figure 5. Connect to work or school configuration in Settings**
-
-2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 6**.- -
-
- **Figure 6. Set up a work or school account**
-
-3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 7**.- -
-
- **Figure 7. The “Let’s get you signed in” dialog box**
-
-Now the device is Azure AD–joined to the company's subscription.
-
-### Step 2: Pro edition activation
-
-> [!IMPORTANT]
-> If your device is running Windows 10, version 1803 or later, this step isn't needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
-> If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings > Update & Security > Activation**, as illustrated in **Figure 7a**.
-
--
-Figure 7a - Windows 10 Pro activation in Settings - -Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only). - -### Step 3: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the users will sign in by using their Azure AD account, as illustrated in **Figure 8**. The Windows 10 Enterprise E3 or E5 license associated with the user will enable Windows 10 Enterprise edition capabilities on the device. - -
-
-**Figure 8. Sign in by using Azure AD account**
-
-### Step 4: Verify that Enterprise edition is enabled
-
-You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
-
--
-
-**Figure 9 - Windows 10 Enterprise subscription in Settings**
-
-If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
-> [!NOTE]
-> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
-> Name: Windows(R), Professional edition
-> Description: Windows(R) Operating System, RETAIL channel
-> Partial Product Key: 3V66T
+- Make sure that the following group policy setting is **disabled**: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not connect to any Windows Update Internet locations.
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
-
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
-
-## Troubleshoot the user experience
-
-In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
-
-- The existing Windows 10 Pro, version 1703 or 1709 operating system isn't activated. This problem doesn't apply to Windows 10, version 1803 or later.
-- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
-
-Use the following figures to help you troubleshoot when users experience these common problems:
-
-- [Figure 9](#win-10-activated-subscription-active) (see the section above) illustrates a device in a healthy state, where Windows 10 Pro is activated and the Windows 10 Enterprise subscription is active.
-
-- [Figure 10](#win-10-not-activated) (below) illustrates a device on which Windows 10 Pro isn't activated, but the Windows 10 Enterprise subscription is active.
-
- -
- Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings - -- [Figure 11](#subscription-not-active) (below) illustrates a device on which Windows 10 Pro is activated, but the Windows 10 Enterprise subscription is lapsed or removed. - -
-
- Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings - -- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license isn't activated and the Windows 10 Enterprise subscription is lapsed or removed. - -
-
- Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1703 (or later), and be Azure Active Directory-joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory-joined:** - -1. Open a command prompt and type **dsregcmd /status**. -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined. - -**To determine the version of Windows 10:** - -At a command prompt, type: **winver** - -A popup window will display the Windows 10 version number and detailed OS build information. - -If a device is running a version of Windows 10 Pro prior to version 1703 (for example, version 1511), it will not be upgraded to Windows 10 Enterprise when a user signs in, even if the user has been assigned a subscription in the CSP portal. - -### Delay in the activation of Enterprise License of Windows 10 - -This delay is by design. Windows 10 and Windows 11 include a built-in cache that is used when determining upgrade eligibility, including responses that indicate that the device isn't eligible for an upgrade. It can take up to four days after a qualifying purchase before the upgrade eligibility is enabled and the cache expires. +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download). +Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Azure AD-joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md). diff --git a/windows/deployment/deploy-windows-to-go.md b/windows/deployment/deploy-windows-to-go.md index d398777f84..3f3f880cc0 100644 --- a/windows/deployment/deploy-windows-to-go.md +++ b/windows/deployment/deploy-windows-to-go.md @@ -33,7 +33,7 @@ The following is a list of items that you should be aware of before you start th * When running a Windows To Go workspace, always shutdown the workspace before unplugging the drive. -* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. You can download Configuration Manager for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkId=618746). For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). +* Configuration Manager SP1 and later includes support for user self-provisioning of Windows To Go drives. For more information on this deployment option, see [How to Provision Windows To Go in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/jj651035(v=technet.10)). * If you're planning on using a USB drive duplicator to duplicate Windows To Go drives, don't configure offline domain join or BitLocker on the drive. diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 6e2cfcba95..ad1f0f4c84 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -21,9 +21,8 @@ "files": [ "**/*.png", "**/*.jpg", - "**/*.gif", - "**/*.pdf", - "**/*.vsdx" + "**/*.svg", + "**/*.gif" ], "exclude": [ "**/obj/**", @@ -37,9 +36,6 @@ "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", - "ms.technology": "windows", - "audience": "ITPro", - "ms.topic": "article", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332", diff --git a/windows/deployment/images/before.png b/windows/deployment/images/before.png deleted file mode 100644 index 1a50878670..0000000000 Binary files a/windows/deployment/images/before.png and /dev/null differ diff --git a/windows/deployment/images/sa-mfa1.png b/windows/deployment/images/sa-mfa1.png deleted file mode 100644 index 045e5a7794..0000000000 Binary files a/windows/deployment/images/sa-mfa1.png and /dev/null differ diff --git a/windows/deployment/images/sa-mfa2.png b/windows/deployment/images/sa-mfa2.png deleted file mode 100644 index 1964a7b263..0000000000 Binary files a/windows/deployment/images/sa-mfa2.png and /dev/null differ diff --git a/windows/deployment/images/sa-mfa3.png b/windows/deployment/images/sa-mfa3.png deleted file mode 100644 index 8987eac97b..0000000000 Binary files a/windows/deployment/images/sa-mfa3.png and /dev/null differ diff --git a/windows/deployment/images/sa-pro-activation.png b/windows/deployment/images/sa-pro-activation.png deleted file mode 100644 index 4066c45dad..0000000000 Binary files a/windows/deployment/images/sa-pro-activation.png and /dev/null differ diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml index bb24db00ba..a7dbbcc6f0 100644 --- a/windows/deployment/index.yml +++ b/windows/deployment/index.yml @@ -95,13 +95,13 @@ landingContent: url: /microsoftteams/faq-support-remote-workforce # Card (optional) - - title: Microsoft Learn + - title: Microsoft Learn training linkLists: - linkListType: learn links: - text: Plan to deploy updates for Windows 10 and Microsoft 365 Apps - url: /learn/modules/windows-plan + url: /training/modules/windows-plan - text: Prepare to deploy updates for Windows 10 and Microsoft 365 Apps - url: /learn/modules/windows-prepare/ + url: /training/modules/windows-prepare/ - text: Deploy updates for Windows 10 and Microsoft 365 Apps - url: /learn/modules/windows-deploy \ No newline at end of file + url: /training/modules/windows-deploy diff --git a/windows/deployment/media/Windows10AutopilotFlowchart.pdf b/windows/deployment/media/Windows10AutopilotFlowchart.pdf deleted file mode 100644 index 5ab6f1c52e..0000000000 Binary files a/windows/deployment/media/Windows10AutopilotFlowchart.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10Autopilotflowchart.vsdx b/windows/deployment/media/Windows10Autopilotflowchart.vsdx deleted file mode 100644 index ef702ab66b..0000000000 Binary files a/windows/deployment/media/Windows10Autopilotflowchart.vsdx and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf deleted file mode 100644 index 3a4c5f022e..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx b/windows/deployment/media/Windows10DeploymentConfigManager.vsdx deleted file mode 100644 index 8b2db358ff..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.vsdx and /dev/null differ diff --git a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml index 8aa8e68722..4a695dc7b7 100644 --- a/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml +++ b/windows/deployment/planning/windows-10-enterprise-faq-itpro.yml @@ -50,10 +50,10 @@ sections: - For some devices, Windows 10 may be unable to install drivers that are required for operation. If your device drivers aren't automatically installed, visit the manufacturer's support website for your device to download and manually install the drivers. If Windows 10 drivers aren't available, the most up-to-date drivers for Windows 8.1 will often work in Windows 10. - For some devices, the manufacturer may provide more up-to-date drivers or drivers that enable more functionality than the drivers installed by Windows 10. Always follow the recommendations of the device manufacturer for optimal performance and stability. - Some computer manufacturers provide packs of drivers for easy implementation in management and deployment solutions like the Microsoft Deployment Toolkit (MDT) or Microsoft Endpoint Configuration Manager. These driver packs contain all of the drivers needed for each device and can greatly simplify the process of deploying Windows to a new make or model of computer. Driver packs for some common manufacturers include: - - [HP driver pack](http://www8.hp.com/us/en/ads/clientmanagement/drivers-pack.html) - - [Dell driver packs for enterprise client OS deployment](http://en.community.dell.com/techcenter/enterprise-client/w/wiki/2065.dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) - - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/documents/ht074984) - - [Panasonic Driver Pack for Enterprise](http://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) + - [HP driver pack](https://www.hp.com/us-en/solutions/client-management-solutions/drivers-pack.html) + - [Dell driver packs for enterprise client OS deployment](https://www.dell.com/support/kbdoc/en-us/000124139/dell-command-deploy-driver-packs-for-enterprise-client-os-deployment) + - [Lenovo Configuration Manager and MDT package index](https://support.lenovo.com/us/en/solutions/ht074984) + - [Panasonic Driver Pack for Enterprise](https://pc-dl.panasonic.co.jp/itn/drivers/driver_packages.html) - question: | Where can I find out if an application or device is compatible with Windows 10? @@ -125,7 +125,7 @@ sections: answer: | For an overview of the new enterprise features in Windows 10 Enterprise, see [What's new in Windows 10](/windows/whats-new/) and [What's new in Windows 10, version 1703](/windows/whats-new/whats-new-windows-10-version-1703) in the Docs library. - Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://blogs.technet.microsoft.com/windowsitpro/). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. + Another place to track the latest information about new features of interest to IT professionals is the [Windows for IT Pros blog](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/bg-p/Windows10Blog). Here you'll find announcements of new features, information on updates to the Windows servicing model, and details about the latest resources to help you more easily deploy and manage Windows 10. To find out which version of Windows 10 is right for your organization, you can also [compare Windows editions](https://www.microsoft.com/WindowsForBusiness/Compare). @@ -152,4 +152,3 @@ sections: - If you're an IT professional or if you have a question about administering, managing, or deploying Windows 10 in your organization or business, visit the [Windows 10 IT Professional forums](https://social.technet.microsoft.com/forums/home?category=windows10itpro) on TechNet. - If you're an end user or if you have a question about using Windows 10, visit the [Windows 10 forums on Microsoft Community](https://answers.microsoft.com/windows/forum). - If you're a developer or if you have a question about making apps for Windows 10, visit the [Windows Desktop Development forums](https://social.msdn.microsoft.com/forums/en-us/home?category=windowsdesktopdev). - - If you have a question about Internet Explorer, visit the [Internet Explorer forums](https://social.technet.microsoft.com/forums/ie/en-us/home). diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md index 8b93291b64..a865459e80 100644 --- a/windows/deployment/update/check-release-health.md +++ b/windows/deployment/update/check-release-health.md @@ -1,11 +1,14 @@ --- -title: "How to check Windows release health" +title: How to check Windows release health +description: Check the release health status of Microsoft 365 services before you call support to see if there's an active service interruption. +ms.date: 08/16/2022 ms.author: v-nishmi author: DocsPreview manager: jren -ms.topic: article +ms.reviewer: mstewart +ms.topic: how-to ms.prod: w10 -localization_priority: Normal +localization_priority: medium ms.custom: - Adm_O365 - 'O365P_ServiceHealthModern' @@ -21,37 +24,35 @@ search.appverid: - MOE150 - BCS160 - IWA160 -description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption." -feedback_system: none --- # How to check Windows release health -The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues so you can troubleshoot issues your users may be experiencing and/or to determine when, and at what scale, to deploy an update in your organization. +The Windows release health page in the Microsoft 365 admin center enables you to view the latest information on known issues for Windows monthly and feature updates. A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The Windows release health page is designed to inform you about known issues. You can use this information to troubleshoot issues your users may be experiencing. You can also determine when, and at what scale, to deploy an update in your organization. -If you are unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from logging into your tenant. +If you're unable to sign in to the Microsoft 365 admin portal, check the [Microsoft 365 service health](https://status.office365.com) status page to check for known issues preventing you from signing into your tenant. -To be informed about the latest updates and releases, follow us on Twitter [@WindowsUpdate](https://twitter.com/windowsupdate). +To be informed about the latest updates and releases, follow [@WindowsUpdate](https://twitter.com/windowsupdate) on Twitter. ## How to review Windows release health information -1. Go to the Microsoft 365 admin center at [https://admin.microsoft.com](https://go.microsoft.com/fwlink/p/?linkid=2024339), and sign in with an administrator account. +1. Go to the [Microsoft 365 admin center](https://admin.microsoft.com), and sign in with an administrator account. > [!NOTE] - > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide&preserve-view=true#roles-available-in-the-microsoft-365-admin-center). + > By default, the Windows release health page is available to individuals who have been assigned the global admin or service administrator role for their tenant. To allow Exchange, SharePoint, and Skype for Business admins to view the Windows release health page, you must first assign them to a Service admin role. For more information about roles that can view service health, see [About admin roles](/microsoft-365/admin/add-users/about-admin-roles#commonly-used-microsoft-365-admin-center-roles). 2. To view Windows release health in the Microsoft 365 Admin Center, go to **Health > Windows release health**. -3. On the **Windows release health** page, you will have access to known issue information for all supported versions of the Windows operating system. +3. On the **Windows release health** page, you'll have access to known issue information for all supported versions of the Windows operating system. The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.  - A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days. - + A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days. +  - + The **History** tab shows the history of known issues that have been resolved for up to 6 months.  @@ -64,24 +65,23 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win - **Originating KB** - The KB number where the issue was first identified. - **Originating build** - The build number for the KB. - Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example: + Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. For example:  - + ## Status definitions In the **Windows release health** experience, every known issue is assigned as status. Those statuses are defined as follows: - | Status | Definition | |:-----|:-----| -|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there is no confirmation that users are affected. | -|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue’s scope of impact, mitigation steps, and root cause. | -|**Confirmed** | After close review, Microsoft teams have determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. | +|**Reported** | An issue has been brought to the attention of the Windows teams. At this stage, there's no confirmation that users are affected. | +|**Investigating** | The issue is believed to affect users and efforts are underway to gather more information about the issue's scope, mitigation steps, and root cause. | +|**Confirmed** | After close review, Microsoft has determined the issue is affecting Windows users, and progress is being made on mitigation steps and root cause. | |**Mitigated** | A workaround is available and communicated to Windows customers for a known issue. A known issue will stay in this state until a KB article is released by Microsoft to resolve the known issue. | |**Mitigated: External** | A workaround is available and communicated to Windows customers for a known issue that was caused by a software or driver from a third-party software or device manufacturer. A known issue will stay in this state until the issue is resolved by Microsoft or the third-party. | -|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it’s deployed in the customer’s environment. | -|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it’s deployed in the customer’s environment. | +|**Resolved** | A solution has been released by Microsoft and has been documented in a KB article that will resolve the known issue once it's deployed in the customer's environment. | +|**Resolved: External** | A solution has been released by a Microsoft or a third-party that will resolve the known issue once it's deployed in the customer's environment. | ## Known issue history @@ -97,29 +97,30 @@ A list of all status updates posted in the selected timeframe will be displayed, ### Windows release health coverage -- **What is Windows release health?** +- **What is Windows release health?** Windows release health is a Microsoft informational service created to keep licensed Windows customers aware of identified known issues and important announcements. - **Microsoft 365 service health content is specific to my tenants and services. Is the content in Windows release health specific to my Windows environment?** - Windows release health does not monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version. + Windows release health doesn't monitor user environments or collect customer environment information. In Windows release health, all known issue content across all supported Windows versions is published to all subscribed customers. Future iterations of the solution may target content based on customer location, industry, or Windows version. - **Where do I find Windows release health?** - After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, click **Health** and you’ll see **Windows release health**. + After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**. -- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?** + +- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?** No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis. - **How often will content be updated?** - In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment. + In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment. - **Can I share this content publicly or with other Windows customers?** - Windows release health is provided to you as a licensed Windows customer and is not to be shared publicly. + Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly. - **Is the content redundant? How is the content organized in the different tabs?** - Windows release health provides three tabs. The landing **All versions** tab allows you to click into a specific version of Windows. The Known issues tab shows the list of issues that are active or resolved in the past 30 days. The History tab shows a six-month history of known issues that have been resolved. + Windows release health provides three tabs. The landing **All versions** tab allows you to select a specific version of Windows. The **Known issues** tab shows the list of issues that are active or resolved in the past 30 days. The **History** tab shows a six-month history of known issues that have been resolved. -- **How do I find information for the versions of Windows I’m managing?** - On the **All versions** tab, you can select any Windows version. This will take you to the Known issues tab filtered for the version you selected. The known issues tab provides the list of active known issues and those resolved in the last 30 days. This selection persists throughout your session until changed. From the History tab you can view the list of resolved issues for that version. To change versions, use the filter in the tab. +- **How do I find information for the versions of Windows I'm managing?** + On the **All versions** tab, you can select any Windows version. This action takes you to the **Known issues** tab filtered for the version you selected. The **Known issues** tab provides the list of active known issues and the issues resolved in the last 30 days. This selection persists throughout your session until changed. From the **History** tab, you can view the list of resolved issues for that version. To change versions, use the filter in the tab. ### Microsoft 365 Admin Center functions @@ -127,13 +128,13 @@ A list of all status updates posted in the selected timeframe will be displayed, You can search Microsoft 365 admin center pages using keywords. For Windows release health, go to the desired product page and search using KB numbers, build numbers, or keywords. - **How do I add other Windows admins?** - Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of “Service Support admin.” + Using the left-hand menu, go to Users, then select the Active Users tab and follow the prompts to add a new user, or assign an existing user, to the role of **Service Support admin**. -- **Why can’t I click to the KB article from the Known issues or History tabs?** - Within the issue description, you’ll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue’s Details pane. +- **Why can't I click to the KB article from the Known issues or History tabs?** + Within the issue description, you'll find links to the KB articles. In the Known issue and History tabs, the entire row is a clickable entry to the issue's Details pane. -- **Microsoft 365 admin center has a mobile app but I don’t see Windows release health under the Health menu. Is this an open issue?** - We are working to build the Windows release health experience on mobile devices in a future release. +- **Microsoft 365 admin center has a mobile app but I don't see Windows release health under the Health menu. Is this an open issue?** + We're working to build the Windows release health experience on mobile devices in a future release. ### Help and support @@ -141,7 +142,7 @@ A list of all status updates posted in the selected timeframe will be displayed, Seek assistance through Premier support, the [Microsoft Support website](https://support.microsoft.com), or connect with your normal channels for Windows support. - **When reaching out to Support, they asked me for an advisory ID. What is this and where can it?** - The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the Known issue you’re seeking help on, click the Details pane and you’ll find the ID under the issue title. It will be the letters WI followed by a number, similar to “WI123456”. + The advisory ID can be found in the upper left-hand corner of the known issue Details pane. To find it, select the known issue you're seeking help on, select the **Details** pane, and you'll find the ID under the issue title. It will be the letters `WI` followed by a number, similar to `WI123456`. - **How can I learn more about expanding my use of Microsoft 365 admin center?** - To learn more, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center). + For more information, see the [Microsoft 365 admin center documentation](/microsoft-365/admin/admin-overview/about-the-admin-center). diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md index ef6be01503..bc3f4c1e0e 100644 --- a/windows/deployment/update/deploy-updates-configmgr.md +++ b/windows/deployment/update/deploy-updates-configmgr.md @@ -2,9 +2,9 @@ title: Deploy Windows client updates with Configuration Manager description: Deploy Windows client updates with Configuration Manager ms.prod: w10 -author: aczechowski +author: mestew ms.localizationpriority: medium -ms.author: aaroncz +ms.author: mstewart ms.reviewer: manager: dougeby ms.topic: article diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 933d4dd014..f8d5a8cd98 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -88,8 +88,8 @@ The Microsoft Graph SDK includes a PowerShell extension that you can use to scri ### Building your own application Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: -- Learning Path: [Microsoft Graph Fundamentals](/learn/paths/m365-msgraph-fundamentals/) -- Learning Path: [Build apps with Microsoft Graph](/learn/paths/m365-msgraph-associate/) +- Learning path: [Microsoft Graph Fundamentals](/training/paths/m365-msgraph-fundamentals/) +- Learning path: [Build apps with Microsoft Graph](/training/paths/m365-msgraph-associate/) Once you are familiar with Microsoft Graph development, see [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) for more. diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md index a10b3e8bbf..b4fd53631f 100644 --- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md +++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md @@ -1,138 +1,42 @@ --- -title: Olympia Corp enrollment guidelines -description: Learn about the Olympia Corp enrollment and setting up an Azure Active Directory-REGISTERED Windows client device or an Azure Active Directory-JOINED Windows client device. -ms.author: aaroncz +title: Olympia Corp Retirement +description: Learn about the retirement of Olympia Corp and how to back up your data prior to October 31, 2022. +ms.author: lizlong ms.topic: article ms.prod: w10 -ms.technology: windows -author: aczechowski +author: lizgt2000 ms.reviewer: -manager: dougeby -ms.custom: seo-marvel-apr2020 +manager: aaroncz --- # Olympia Corp - + **Applies to** - Windows 10 - Windows 11 -## What is Windows Insider Lab for Enterprise and Olympia Corp? +## Retirement of Olympia Corp -Windows Insider Lab for Enterprise is intended for Windows Insiders who want to try new experimental and pre-release enterprise privacy and security features. To get the complete experience of these enterprise features, Olympia Corp, a virtual corporation has been set up to reflect the IT infrastructure of real world business. Selected customers are invited to join Olympia Corp and try these features. +Olympia Corp, a virtual corporation was set up to reflect the IT infrastructure of real world businesses. +Olympia will be formally retired on October 31, 2022. +We'll begin unassigning Olympia licenses and deleting the Olympia feedback path on Feedback Hub. Olympia Corp will no longer be a part of Windows Insider Lab for Enterprise. -As an Olympia user, you will have an opportunity to: +> [!WARNING] +> To prevent data loss, Olympia participants need to complete the following: +> - If you're using the provided Olympia licenses, make a back up of any data as you'll lose data once we unassign the licenses. +> - Please remove your device from Olympia before October 31, 2022. -- Use various enterprise features like Windows Information Protection (WIP), Microsoft Defender for Office 365, Windows Defender Application Guard (WDAG), and Application Virtualization (APP-V). -- Learn how Microsoft is preparing for GDPR, as well as enabling enterprise customers to prepare for their own readiness. -- Validate and test pre-release software in your environment. -- Provide feedback. -- Interact with engineering team members through a variety of communication channels. +To remove the account from Azure Active Directory, follow the steps below: ->[!Note] ->Enterprise features might have reduced or different security, privacy, accessibility, availability, and reliability standards relative to commercially provided services and software. We may change or discontinue any of the enterprise features at any time without notice. + 1. Open the **Settings** app. + 1. Go to **Accounts** > **Access work or school**. + 1. Select the connected account that you want to remove, then select **Disconnect**. + 1. To confirm device removal, select **Yes**. -For more information about Olympia Corp, see [https://olympia.windows.com/Info/FAQ](https://olympia.windows.com/Info/FAQ). +- After removing your account from Olympia, log in to your device using your local account. -To request an Olympia Corp account, fill out the survey at [https://aka.ms/RegisterOlympia](https://aka.ms/RegisterOlympia). - -## Enrollment guidelines - -Welcome to Olympia Corp. Here are the steps needed to enroll. - -As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client Enterprise from Windows client Pro. This upgrade is optional. Since certain features such as Windows Defender Application Guard are only available on Windows client Enterprise, we recommend you to upgrade. - -Choose one of the following two enrollment options: - -- To set up an Azure Active Directory-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account. - -- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account. - - - -### Set up an Azure Active Directory-REGISTERED Windows client device - -This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Azure AD register FAQ](/azure/active-directory/devices/faq) for additional information. - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)). - -  - -2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**. - -3. Select **Connect** and enter your **Olympia corporate account** (for example, username@olympia.windows.com). Select **Next**. - -  - -4. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - -  - -5. Read the **Terms and Conditions**. Select **Accept** to participate in the program. - -6. If this is the first time you are logging in, fill in the additional information to help you retrieve your account details. - -7. Create a PIN for signing into your Olympia corporate account. - -8. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -9. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - - - -### Set up Azure Active Directory-JOINED Windows client device - -- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) for more information. - - > [!NOTE] - > Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key). - -1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)). - -  - -2. If you are already connected to a domain, select the existing account and then select **Disconnect**. Select **Restart Later**. - -3. Select **Connect**, then select **Join this device to Azure Active Directory**. - -  - -4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Select **Next**. - -  - -5. Enter the temporary password that was sent to you. Select **Sign in**. Follow the instructions to set a new password. - - > [!NOTE] - > Passwords should contain 8-16 characters, including at least one special character or number. - -  - -6. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**. - -7. If this is the first time you are signing in, fill in the additional information to help you retrieve your account details. - -8. Create a PIN for signing into your Olympia corporate account. - -9. When asked to make sure this is your organization, verify that the information is correct. If so, select **Join**. - -10. Restart your device. - -11. In the sign-in screen, choose **Other User** and sign in with your **Olympia corporate account**. Your device will upgrade to Windows client Enterprise. - -12. Go to **Start > Settings > Update & Security > Windows Insider Program**. Select on the current Windows Insider account, and select **Change**. Sign in with your **Olympia corporate account**. - - > [!NOTE] - > To complete this step, you will need to register your account with the [Windows Insider Program for Business](https://insider.windows.com/ForBusiness). - -13. Open the **Feedback Hub**, and sign in with your **Olympia corporate account**. - ->[!NOTE] -> Your Windows client Enterprise license won't be renewed if your device isn't connected to Olympia. +- If you're looking for another program to join, the program we recommend is the Windows Insider Program for Business. Follow the instructions below to register: +[Register for the Windows 10 Insider Program for Business](/windows-insider/business/register) + +Thank you for your participation in Olympia and email Windows Insider Lab for Enterprise [olympia@microsoft.com](mailto:olympia@microsoft.com) with any questions. diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index c301863138..bc6e8a327e 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -1,11 +1,11 @@ --- title: Manually configuring devices for Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Manually configuring devices for Update Compliance ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md index 6db9d2bb84..31cc1b5b80 100644 --- a/windows/deployment/update/update-compliance-configuration-mem.md +++ b/windows/deployment/update/update-compliance-configuration-mem.md @@ -1,11 +1,11 @@ --- title: Configuring Microsoft Endpoint Manager devices for Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article @@ -21,62 +21,64 @@ ms.topic: article This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps: 1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured. -2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured. -3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). +1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). + +> [!TIP] +> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured. ## Create a configuration profile Take the following steps to create a configuration profile that will set required policies for Update Compliance: 1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**. -2. On the **Configuration profiles** view, select **Create a profile**. -3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". -4. For **Template name**, select **Custom**, and then press **Create**. -5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. -6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). +1. On the **Configuration profiles** view, select **Create a profile**. +1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates". +1. For **Template name**, select **Custom**, and then press **Create**. +1. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**. +1. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). 1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid). - 2. Add a setting for **Commercial ID** with the following values: + 1. Add a setting for **Commercial ID** with the following values: - **Name**: Commercial ID - **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace. - **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID` - **Data type**: String - **Value**: *Set this to your Commercial ID* - 2. Add a setting configuring the **Windows Diagnostic Data level** for devices: + 1. Add a setting configuring the **Windows Diagnostic Data level** for devices: - **Name**: Allow Telemetry - **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry` - **Data type**: Integer - **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*). - 3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: + 1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance: - **Name**: Disable Telemetry opt-in interface - **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx` - **Data type**: Integer - **Value**: 1 - 4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: + 1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance: - **Name**: Allow device name in Diagnostic Data - **Description**: Allows device name in Diagnostic Data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData` - **Data type**: Integer - **Value**: 1 - 5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: + 1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance: - **Name**: Allow Update Compliance Processing - **Description**: Opts device data into Update Compliance processing. Required to see data. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing` - **Data type**: Integer - **Value**: 16 - 6. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: + 1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance: - **Name**: Allow commercial data pipeline - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline` - **Data type**: Integer - **Value**: 1 -7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. -8. Review and select **Create**. +1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll. +1. Review and select **Create**. ## Deploy the configuration script -The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). +The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management). When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices. diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md index 15c207cf56..dfc1c5cae2 100644 --- a/windows/deployment/update/update-compliance-configuration-script.md +++ b/windows/deployment/update/update-compliance-configuration-script.md @@ -1,7 +1,7 @@ --- title: Update Compliance Configuration Script ms.reviewer: -manager: dougeby +manager: aczechowski description: Downloading and using the Update Compliance Configuration Script ms.prod: w10 author: mestew diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md index 97771928db..34024f43cb 100644 --- a/windows/deployment/update/update-compliance-delivery-optimization.md +++ b/windows/deployment/update/update-compliance-delivery-optimization.md @@ -1,11 +1,11 @@ --- title: Delivery Optimization in Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article @@ -46,7 +46,7 @@ The table breaks down the number of bytes from each download source into specifi The download sources that could be included are: - LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network - Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used) -- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an Configuration Manager Distribution Point for Express Updates. +- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or a Configuration Manager Distribution Point for Express Updates. [!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)] diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index aef454e5ea..17b63d9e79 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -1,11 +1,11 @@ --- title: Update Compliance - Feature Update Status report ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 3449a9e3ff..23d4fb68e8 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -1,10 +1,10 @@ --- title: Get started with Update Compliance -manager: dougeby +manager: aczechowski description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: - M365-analytics diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md index 14be646f48..0ed598274c 100644 --- a/windows/deployment/update/update-compliance-monitor.md +++ b/windows/deployment/update/update-compliance-monitor.md @@ -1,11 +1,11 @@ --- title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.localizationpriority: medium ms.collection: M365-analytics ms.topic: article diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index a72b0bd9e9..680cfffa35 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -1,9 +1,9 @@ --- title: Update Compliance - Need Attention! report -manager: dougeby +manager: aczechowski description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.prod: w10 diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md index 25616519e4..08423ff755 100644 --- a/windows/deployment/update/update-compliance-privacy.md +++ b/windows/deployment/update/update-compliance-privacy.md @@ -1,11 +1,11 @@ --- title: Privacy in Update Compliance ms.reviewer: -manager: dougeby +manager: aczechowski description: an overview of the Feature Update Status report ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md index c745e589a3..f45cd6f50d 100644 --- a/windows/deployment/update/update-compliance-safeguard-holds.md +++ b/windows/deployment/update/update-compliance-safeguard-holds.md @@ -1,11 +1,11 @@ --- title: Update Compliance - Safeguard Holds report ms.reviewer: -manager: dougeby +manager: aczechowski description: Learn how the Safeguard Holds report provides information about safeguard holds in your population. ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article ms.custom: seo-marvel-apr2020 diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md index ec78a072db..2dc69aadd8 100644 --- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md +++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md @@ -1,11 +1,11 @@ --- title: Update Compliance Schema - WaaSDeploymentStatus ms.reviewer: -manager: dougeby +manager: aczechowski description: WaaSDeploymentStatus schema ms.prod: w10 -author: aczechowski -ms.author: aaroncz +author: mestew +ms.author: mstewart ms.collection: M365-analytics ms.topic: article --- @@ -22,7 +22,7 @@ WaaSDeploymentStatus records track a specific update's installation progress on |**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). | |**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there's either no string matching the error or there's no error. | |**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there's either no error or there's *no error code*, meaning that the issue raised doesn't correspond to an error, but some inferred issue. | -|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) +6. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM. + +## Related articles + +[Windows subscription activation](windows-10-subscription-activation.md) + +[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) + +[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index bbc1b4b9d4..8dc4f7f75d 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -1,50 +1,44 @@ --- -title: Activate using Active Directory-based activation (Windows 10) -description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. -ms.custom: seo-marvel-apr2020 +title: Activate using Active Directory-based activation +description: Learn how active directory-based activation is implemented as a role service that relies on AD DS to store activation objects. manager: dougeby -ms.author: aaroncz -ms.prod: w10 author: aczechowski +ms.author: aaroncz +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium -ms.date: 01/13/2022 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: how-to ms.collection: highpri --- # Activate using Active Directory-based activation -**Applies to** +**Applies to supported versions of** -Windows 11 -Windows 10 -Windows 8.1 -Windows 8 -Windows Server 2012 R2 -Windows Server 2012 -Windows Server 2016 -Windows Server 2019 -Office 2021* -Office 2019* -Office 2016* -Office 2013* +- Windows +- Windows Server +- Office -**Looking for retail activation?** +> [!TIP] +> Are you looking for information on retail activation? +> +> - [Product activation for Windows](https://support.microsoft.com/windows/product-activation-for-windows-online-support-telephone-numbers-35f6a805-1259-88b4-f5e9-b52cccef91a0) +> - [Activate Windows](https://support.microsoft.com/windows/activate-windows-c39005d4-95ee-b91e-b399-2820fda32227) -- [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1) -- [Get Help Activating Microsoft Windows 10](https://support.microsoft.com/help/12440/windows-10-activate) +Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that you update the forest schema using *adprep.exe* on a supported server OS. After the schema is updated, older domain controllers can still activate clients. -Active Directory-based activation is implemented as a role service that relies on AD DS to store activation objects. Active Directory-based activation requires that the forest schema be updated using *adprep.exe* on a supported server OS, but after the schema is updated, older domain controllers can still activate clients. +Any domain-joined computers running a supported OS with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They'll stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. -Any domain-joined computers running a supported operating system with a Generic Volume License Key (GVLK) will be activated automatically and transparently. They will stay activated as long as they remain members of the domain and maintain periodic contact with a domain controller. Activation takes place after the Licensing service starts. When this service starts, the computer contacts AD DS automatically, receives the activation object, and is activated without user intervention. - -To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. +To allow computers with GVLKs to activate themselves, use the Volume Activation Tools console or the [Volume Activation Management Tool (VAMT)](volume-activation-management-tool.md) in earlier versions of Windows Server to create an object in the AD DS forest. You create this activation object by submitting a KMS host key to Microsoft, as shown in Figure 10. The process proceeds as follows: -1. Perform one of the following tasks: - - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard. - - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT. +1. Do _one_ of the following tasks: + + - Install the Volume Activation Services server role on a domain controller. Then add a KMS host key by using the Volume Activation Tools Wizard. + + - Extend the domain schema level to Windows Server 2012 R2 or later. Then add a KMS host key by using the VAMT. 2. Microsoft verifies the KMS host key, and an activation object is created. @@ -55,87 +49,91 @@ The process proceeds as follows: **Figure 10**. The Active Directory-based activation flow -For environments in which all computers are running an operating system listed under *Applies to*, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. +For environments in which all computers are running a supported OS version, and they're joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers. You may be able to remove any KMS hosts from your environment. -If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. +If an environment will continue to contain earlier versions of volume licensed operating systems and applications, or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status. -Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. +Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain. They'll periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. -When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. +When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object can't be retrieved, client computers use KMS activation. If the computer is removed from the domain, and the computer or the Software Protection service is restarted, Windows will change the status to "not activated" and the computer will try to activate with KMS. ## Step-by-step configuration: Active Directory-based activation > [!NOTE] -> You must be a member of the local Administrators group on all computers mentioned in these steps. You also need to be a member of the Enterprise Administrators group, because setting up Active Directory-based activation changes forest-wide settings. +> You must be a member of the local **Administrators** group on all computers mentioned in these steps. You also need to be a member of the **Enterprise Administrators** group, because setting up Active Directory-based activation changes forest-wide settings. -**To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:** +To configure Active Directory-based activation on a supported version of Windows Server, complete the following steps: -1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller. +1. Use an account with **Domain Administrator** and **Enterprise Administrator** credentials to sign in to a domain controller. -2. Launch Server Manager. +2. Launch **Server Manager**. -3. Add the Volume Activation Services role, as shown in Figure 11. +3. Add the **Volume Activation Services** role, as shown in Figure 11.  **Figure 11**. Adding the Volume Activation Services role -4. Click the link to launch the Volume Activation Tools (Figure 12). +4. Select the **Volume Activation Tools**, as shown in Figure 12.  **Figure 12**. Launching the Volume Activation Tools -5. Select the **Active Directory-Based Activation** option (Figure 13). +5. Select the **Active Directory-Based Activation** option, as shown in Figure 13.  **Figure 13**. Selecting Active Directory-Based Activation -6. Enter your KMS host key and (optionally) a display name (Figure 14). +6. Enter your KMS host key and optionally specify a display name, as shown in Figure 14.  **Figure 14**. Entering your KMS host key -7. Activate your KMS host key by phone or online (Figure 15). +7. Activate your KMS host key by phone or online, as shown in Figure 15.  - + **Figure 15**. Choosing how to activate your product > [!NOTE] - > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory). - - > - > + > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. + > > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) - > + > > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) > > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) > > - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446) + > + > For more information, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory). -8. After activating the key, click **Commit**, and then click **Close**. +8. After activating the key, select **Commit**, and then select **Close**. ## Verifying the configuration of Active Directory-based activation To verify your Active Directory-based activation configuration, complete the following steps: -1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing. -2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key. -3. If the computer is not joined to your domain, join it to the domain. +1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that's configured by volume licensing. + +2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK. Run the `slmgr.vbs /ipk` command and specifying the GLVK as the new product key. + +3. If the computer isn't joined to your domain, join it to the domain. + 4. Sign in to the computer. -5. Open Windows Explorer, right-click **Computer**, and then click **Properties**. + +5. Open Windows Explorer, right-click **Computer**, and then select **Properties**. + 6. Scroll down to the **Windows activation** section, and verify that this client has been activated. > [!NOTE] - > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used. - > - > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](./volume-activation-management-tool.md). - + > If you're using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that hasn't already been activated by KMS. The `slmgr.vbs /dlv` command also indicates whether KMS has been used. + > + > To manage individual activations or apply multiple (mass) activations, use the [VAMT](./volume-activation-management-tool.md). ## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) +[Volume Activation for Windows 10](volume-activation-windows-10.md) diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 403b5a2209..e8e03b1772 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -4,61 +4,62 @@ description: VAMT enables administrators to automate and centrally manage the Wi ms.reviewer: manager: dougeby ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy author: aczechowski -ms.date: 04/25/2017 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: overview --- # Introduction to VAMT -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office®, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has one of the following Windows operating systems: Windows® 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 R2, or Windows Server 2012. +The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in and can be installed on any computer that has a supported Windows OS version. > [!NOTE] -> VAMT can be installed on, and can manage, physical or virtual instances. VAMT cannot detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. +> VAMT can be installed on, and can manage, physical or virtual instances. VAMT can't detect whether or not the remote products are virtual. As long as the products can respond to Windows Management Instrumentation (WMI) calls, they will be discovered and activated. -## In this Topic - -- [Managing Multiple Activation Key (MAK) and Retail Activation](#bkmk-managingmak) -- [Managing Key Management Service (KMS) Activation](#bkmk-managingkms) -- [Enterprise Environment](#bkmk-enterpriseenvironment) -- [VAMT User Interface](#bkmk-userinterface) - -## Managing Multiple Activation Key (MAK) and Retail Activation +## Managing MAK and retail activation You can use a MAK or a retail product key to activate Windows, Windows Server, or Office on an individual computer or a group of computers. VAMT enables two different activation scenarios: -- **Online activation.** Many enterprises maintain a single Windows system image or Office installation package for deployment across the enterprise. Occasionally there is also a need to use retail product keys in special situations. Online activation enables you to activate over the Internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -- **Proxy activation.** This activation method enables you to perform volume activation for products installed on client computers that do not have Internet access. The VAMT host computer distributes a MAK, KMS Host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs Internet access. You can also activate products installed on computers in a workgroup that is isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the Internet-connected VAMT host. +- **Online activation**: Many organizations maintain a single Windows system image or Office installation package for deployment across the organization. Occasionally there's also a need to use retail product keys in special situations. Online activation enables you to activate over the internet any products installed with MAK, KMS host, or retail product keys on one or more connected computers within a network. This process requires that each product communicate activation information directly to Microsoft. -## Managing Key Management Service (KMS) Activation +- **Proxy activation**: This activation method enables you to perform volume activation for products installed on client computers that don't have internet access. The VAMT host computer distributes a MAK, KMS host key (CSVLK), or retail product key to one or more client products and collects the installation ID (IID) from each client product. The VAMT host sends the IIDs to Microsoft on behalf of the client products and obtains the corresponding Confirmation IDs (CIDs). The VAMT host then installs the CIDs on the client products to complete the activation. Using this method, only the VAMT host computer needs internet access. You can also activate products installed on computers in a workgroup that's isolated from any larger network, by installing a second instance of VAMT on a computer within the workgroup. Then, use removable media to transfer activation data between this new instance of VAMT and the internet-connected VAMT host. -In addition to MAK or retail activation, you can use VAMT to perform volume activation using the Key Management Service (KMS). VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by Volume License editions of Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 and Microsoft Office 2010.\ -VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type product key; therefore, the experience for product key entry and activation management are identical for both these product key types. +## Managing KMS activation -## Enterprise Environment +In addition to MAK or retail activation, you can use VAMT to perform volume activation using the KMS. VAMT can install and activate GVLK (KMS client) keys on client products. GVLKs are the default product keys used by volume license editions of Windows, Windows Server, and Office. -VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments—Core Network, Secure Zone, and Isolated Lab. +VAMT treats a KMS host key (CSVLK) product key identically to a retail-type product key. The experience for product key entry and activation management are identical for both these product key types. + +## Enterprise environment + +VAMT is commonly implemented in enterprise environments. The following screenshot illustrates three common environments: core network, secure zone, and isolated lab.  -In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have extra firewall protection. -The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab. +- In the core network environment, all computers are within a common network managed by Active Directory Domain Services (AD DS). +- The secure zone represents higher-security core network computers that have extra firewall protection. +- The isolated lab environment is a workgroup that is physically separate from the core network, and its computers don't have internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the isolated lab. -## VAMT User Interface +## VAMT user interface -The following screenshot shows the VAMT graphical user interface. +The following screenshot shows the VAMT graphical user interface:  VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as: -- **Adding and removing computers.** You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -- **Discovering products.** You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- **Monitoring activation status.** You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. -- **Managing product keys.** You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. -- **Managing activation data.** VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. +- **Adding and removing computers**: You can use VAMT to discover computers in the local environment. VAMT can discover computers by querying AD DS, workgroups, by individual computer name or IP address, or via a general LDAP query. -## Related topics +- **Discovering products**: You can use VAMT to discover Windows, Windows Server, Office, and select other products installed on the client computers. -- [VAMT Step-by-Step Scenarios](vamt-step-by-step.md) +- **Monitoring activation status**: You can collect activation information about each product, including the last five characters of the product key being used, the current license state (such as Licensed, Grace, Unlicensed), and the product edition information. + +- **Managing product keys**: You can store multiple product keys and use VAMT to install these keys to remote client products. You can also determine the number of activations remaining for MAKs. + +- **Managing activation data**: VAMT stores activation data in a SQL database. VAMT can export this data to other VAMT hosts or to an archive in XML format. + +## Next steps + +[VAMT step-by-step scenarios](vamt-step-by-step.md) diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index ec4715c198..fd360dd5f2 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -1,40 +1,36 @@ --- -title: Volume Activation Management Tool (VAMT) Technical Reference (Windows 10) +title: VAMT technical reference description: The Volume Activation Management Tool (VAMT) enables network administrators to automate and centrally manage volume activation and retail activation. manager: dougeby ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy author: aczechowski -ms.date: 04/25/2017 -ms.topic: article +ms.date: 09/16/2022 +ms.topic: overview ms.custom: seo-marvel-apr2020 ms.collection: highpri --- -# Volume Activation Management Tool (VAMT) Technical Reference +# Volume Activation Management Tool (VAMT) technical reference -The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. -VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems: -- Windows® 7 or above -- Windows Server 2008 R2 or above +The Volume Activation Management Tool (VAMT) lets you automate and centrally manage the Windows, Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in. VAMT can be installed on any computer that has a supported Windows OS version. - -**Important** -VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or later), Microsoft Office 2010 (or above). +> [!IMPORTANT] +> VAMT is designed to manage volume activation for supported versions of Windows, Windows Server, and Office. VAMT is only available in an EN-US (x86) package. ## In this section -|Topic |Description | +|Article |Description | |------|------------| |[Introduction to VAMT](introduction-vamt.md) |Provides a description of VAMT and common usages. | -|[Active Directory-Based Activation Overview](active-directory-based-activation-overview.md) |Describes Active Directory-Based Activation scenarios. | -|[Install and Configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | -|[Add and Manage Products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | -|[Manage Product Keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | -|[Manage Activations](manage-activations-vamt.md) |Describes how to activate a client computer by using a variety of activation methods. | -|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | -|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | -|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. | - +|[Active Directory-based activation overview](active-directory-based-activation-overview.md) |Describes Active Directory-based activation scenarios. | +|[Install and configure VAMT](install-configure-vamt.md) |Describes how to install VAMT and use it to configure client computers on your network. | +|[Add and manage products](add-manage-products-vamt.md) |Describes how to add client computers into VAMT. | +|[Manage product keys](manage-product-keys-vamt.md) |Describes how to add and remove a product key from VAMT. | +|[Manage activations](manage-activations-vamt.md) |Describes how to activate a client computer by using various activation methods. | +|[Manage VAMT data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. | +|[VAMT step-by-step scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. | +|[VAMT known issues](vamt-known-issues.md) |Lists known issues in VAMT. | diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 18021d5a5d..c4377a6979 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -5,31 +5,33 @@ ms.reviewer: manager: dougeby author: aczechowski ms.author: aaroncz -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium -ms.topic: article +ms.topic: reference --- -# Windows 10 deployment process posters +# Windows 10 deployment process posters **Applies to** -- Windows 10 +- Windows 10 -The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. +The following posters step through various options for deploying Windows 10 with Windows Autopilot or Microsoft Endpoint Configuration Manager. ## Deploy Windows 10 with Autopilot -The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. +The Windows Autopilot poster is two pages in portrait mode (11x17). Select the image to download a PDF version. -[](./media/Windows10AutopilotFlowchart.pdf) +[](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager -The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. +The Configuration Manager poster is one page in landscape mode (17x11). Select the image to download a PDF version. -[](./media/Windows10DeploymentConfigManager.pdf) +[](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf) ## See also -[Overview of Windows Autopilot](/windows/deployment/windows-autopilot/windows-autopilot)
-[Scenarios to deploy enterprise operating systems with Configuration Manager](/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) +[Overview of Windows Autopilot](/mem/autopilot/windows-autopilot) + +[Scenarios to deploy enterprise operating systems with Configuration Manager](/mem/configmgr/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 67df3547c9..e59eefbb34 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -1,8 +1,8 @@ --- -title: Windows 10/11 Subscription Activation +title: Windows subscription activation description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions. -ms.custom: seo-marvel-apr2020 -ms.prod: w10 +ms.prod: windows-client +ms.technology: itpro-deploy ms.localizationpriority: medium author: aczechowski ms.author: aaroncz @@ -12,239 +12,201 @@ ms.collection: - highpri search.appverid: - MET150 -ms.topic: article +ms.topic: conceptual ms.date: 07/12/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 --- -# Windows 10/11 Subscription Activation +# Windows subscription activation -Applies to: -- Windows 10 -- Windows 11 +The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition. -Windows 10 Pro supports the Subscription Activation feature, enabling users to "step-up" from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they're subscribed to Windows 10/11 Enterprise E3 or E5. +If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). -With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. +The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and then rebooting client devices. -If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business). +This article covers the following information: -The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. - -For more information, see the following articles: - -- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise. -- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education. -- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [Subscription activation](#subscription-activation-for-enterprise): An introduction to subscription activation for Windows Enterprise. +- [Subscription activation for Education](#subscription-activation-for-education): Information about subscription activation for Windows Education. +- [Inherited activation](#inherited-activation): Allow virtual machines to inherit activation state from their Windows client host. - [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment. -- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model. +- [Requirements](#requirements): Prerequisites to use the Windows subscription activation model. - [Benefits](#benefits): Advantages of subscription-based licensing. - [How it works](#how-it-works): A summary of the subscription-based licensing option. -- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows subscription activation for VMs in the cloud. -For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md). +For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). -## Subscription Activation for Windows 10/11 Enterprise +## Subscription activation for Enterprise -Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots. +Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots. - If you're running Windows 10, version 1703 or later: +- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise. +- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions. -- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively. -- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions. - -Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis). +Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure Active Directory (Azure AD) using [Azure AD Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis). > [!NOTE] -> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11. +> Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11. -## Subscription Activation for Education +## Subscription activation for Education -Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section. +Subscription activation for Education works the same as the Enterprise edition, but in order to use subscription activation for Education, you must have a device running Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section. -## Inherited Activation +## Inherited activation -Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host. +Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses an Azure AD account on a VM. -When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (Azure AD) account on a VM. - -To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V. +To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V. ## The evolution of deployment +> [!TIP] > The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus). The following list illustrates how deploying Windows client has evolved with each release: -- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
-- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a "repair upgrade" because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
-- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-- **Windows 10, version 1607** made a large leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
-- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It's no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
-- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. -- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated. +- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise. + +- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade. This process was considered a "repair upgrade", because the OS version was the same before and after. This upgrade was a lot easier than wipe-and-load, but it was still time-consuming. + +- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This process required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade. + +- **Windows 10, version 1607** made a large leap forward. You could just change the product key and the edition instantly changed from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can inject a key using slmgr.vbs, which injects the key into WMI. It became trivial to do this process using a command line. + +- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program. + +- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Azure AD for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Azure AD, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise. + +- **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled. + +- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription. + +- **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices. + + > [!IMPORTANT] + > Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated. ## Requirements -### Windows 10/11 Enterprise requirements +### Windows Enterprise requirements > [!NOTE] -> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). +> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems). > [!IMPORTANT] -> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants. +> As of October 1, 2022, subscription activation is available for _commercial_ and _GCC_ tenants. It's currently not available on GCC High or DoD tenants. For more information, see [Enable subscription activation with an existing EA](deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements: -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context. -- Azure Active Directory (Azure AD) available for identity management. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. +- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded. +- Azure AD available for identity management. +- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. -For Microsoft customers that don't have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). +For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). -If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) +### Windows Education requirements -#### Multifactor authentication - -An issue has been identified with Hybrid Azure AD-joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device won't successfully upgrade to their Windows Enterprise subscription. - -To resolve this issue: - -If the device is running Windows 10, version 1809 or later: - -- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. - -- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there's a problem. Select the notification and then select **Fix now** to step through the subscription activation process. See the example below: - - 
- - 
- -  - -Organizations that use Azure Active Directory Conditional Access may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy to avoid this issue. - -> [!NOTE] -> The above recommendation also applies to Azure AD joined devices. - -### Windows 10/11 Education requirements - -- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. -- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. +- A supported version of Windows Pro Education installed on the devices to be upgraded. +- A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**. +- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription. +- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported. > [!IMPORTANT] > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - ## Benefits -With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: +With Windows Enterprise or Education editions, your organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features. + +To compare Windows 10 editions and review pricing, see the following sites: - [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) -- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) +- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing) You can benefit by moving to Windows as an online service in the following ways: -- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. +- Licenses for Windows Enterprise and Education are checked based on Azure AD credentials. You have a systematic way to assign licenses to end users and groups in your organization. - User sign-in triggers a silent edition upgrade, with no reboot required. -- Support for mobile worker/BYOD activation; transition away from on-premises KMS and MAK keys. +- Support for mobile worker and "bring your own device" (BYOD) activation. This support transitions away from on-premises KMS and MAK keys. - Compliance support via seat assignment. -- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. +- Licenses can be updated to different users dynamically, which allows you to optimize your licensing investment against changing needs. ## How it works > [!NOTE] -> The following Windows 10 examples and scenarios also apply to Windows 11. +> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions. -The device is Azure Active Directory-joined from **Settings > Accounts > Access work or school**. +The device is Azure AD-joined from **Settings > Accounts > Access work or school**. -The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. +You assign Windows 10 Enterprise to a user: - + -When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. - -Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit doesn't include Long Term Servicing Channel. - -The following figures summarize how the Subscription Activation model works: - -Before Windows 10, version 1903:
- - -After Windows 10, version 1903:
- +When a licensed user signs in to a device that meets requirements using their Azure AD credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires. > [!NOTE] -> -> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019). -> -> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019). +> Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel. + +The following figure summarizes how the subscription activation model works: + + + +> [!NOTE] +> +> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center. +> +> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center. ### Scenarios #### Scenario #1 -You're using Windows 10, version 1803 or above, and purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise). +You're using a supported version of Windows 10. You purchased Windows 10 Enterprise E3 or E5 subscriptions, or you've had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise. -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. +All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition. #### Scenario #2 -Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. +You're using Azure AD-joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Azure AD synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. You then assign that license to all of your Azure AD users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise. -In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it's simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. +#### Earlier versions of Windows -If you're running Windows 7, it can be more work. A wipe-and-load approach works, but it's likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This path is supported, and completes the move in one step. This method also works if you're running Windows 8.1 Pro. +If devices are running Windows 7, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise edition. This path is supported, and completes the move in one step. This method also works for devices with Windows 8.1 Pro. ### Licenses The following policies apply to acquisition and renewal of licenses on devices: -- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user hasn't logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. + +- Devices that have been upgraded will attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license. + +- If a device is disconnected from the internet, until its current subscription expires Windows will revert to Pro or Pro Education. As soon as the device is connected to the internet again, the license will automatically renew. + +- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, on the computer to which a user hasn't logged for the longest time, Windows will revert to Pro or Pro Education. + - If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. -When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/active-directory-licensing-whatis-azure-portal). +When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal). ### Existing Enterprise deployments -If you're running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. +If you're running a supported version of Windows 10 or Windows 11, subscription activation will automatically pull the firmware-embedded Windows activation key and activate the underlying Pro license. The license will then step-up to Enterprise using subscription activation. This behavior automatically migrates your devices from KMS or MAK activated Enterprise to subscription activated Enterprise. -Subscription Activation doesn't remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows. +Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows. > [!CAUTION] -> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). +> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE). -If you're using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. - -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt: - -```console -@echo off -FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO ( -SET "ProductKey=%%A" -goto InstallKey -) - -:InstallKey -IF [%ProductKey%]==[] ( -echo No key present -) ELSE ( -echo Installing %ProductKey% -changepk.exe /ProductKey %ProductKey% -) -``` - -Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead: +If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console: ```powershell $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } } @@ -252,17 +214,17 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( ### Obtaining an Azure AD license -Enterprise Agreement/Software Assurance (EA/SA): +If your organization has an Enterprise Agreement (EA) or Software Assurance (SA): -- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea). +- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enable-subscription-activation-with-an-existing-ea). -- The license administrator can assign seats to Azure AD users with the same process that is used for O365. +- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps. - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription. -Microsoft Products & Services Agreements (MPSA): +If your organization has a Microsoft Products & Services Agreement (MPSA): -- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions. +- New customers are automatically emailed the details of the service. Take steps to process the instructions. - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service. @@ -270,16 +232,18 @@ Microsoft Products & Services Agreements (MPSA): ### Deploying licenses -See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). +For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md). ## Virtual Desktop Access (VDA) -Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf). Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md). -## Related articles +## Related sites -[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+Connect domain-joined devices to Azure AD for Windows experiences. For more information, see [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) + +[Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11) + +[Windows for business](https://www.microsoft.com/windows/business) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index b56c8a8916..f2950818eb 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -32,6 +32,8 @@ href: deploy/windows-autopatch-device-registration-overview.md - name: Register your devices href: deploy/windows-autopatch-register-devices.md + - name: Post-device registration readiness checks + href: deploy/windows-autopatch-post-reg-readiness-checks.md - name: Operate href: operate/index.md items: diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index 1d55fce3d7..a8ae09138a 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview -description: This article provides and overview on how to register devices in Autopatch -ms.date: 07/28/2022 +description: This article provides an overview on how to register devices in Autopatch +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -44,12 +44,12 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto | **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. | | **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. | | **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.
- Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
- **AzureADDeviceID**
- **OperatingSystem**
- **DisplayName (Device name)**
- **AccountEnabled**
- **RegistrationDateTime**
- **ApproximateLastSignInDateTime**
- In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not ready** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
- **If yes**, it means this device is enrolled into Intune.
- **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not Ready** tab.
- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
- **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
- **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
- **Modern Workplace Devices-Windows Autopatch-First**
- The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Modern Workplace Devices-Windows Autopatch-Fast**
- **Modern Workplace Devices-Windows Autopatch-Broad**
- **Modern Workplace Devices - All**
- This group has all devices managed by Windows Autopatch.
- When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
- This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
- When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
- This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
- When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
- This group has all virtual devices managed by Windows Autopatch.
- Windows Autopatch adds devices to its managed database.
- Flags devices as **Active** in the **Ready** tab.
- The Azure AD device ID of the device successfully registered is added into the Microsoft Cloud Managed Desktop Extension’s allowlist. Windows Autopatch installs the Microsoft Cloud Managed Desktop Extension agent once devices are registered, so the agent can communicate back to the Microsoft Cloud Managed Desktop Extension service.
- The agent is the **Modern Workplace - Autopatch Client setup** PowerShell script that was created during the Windows Autopatch tenant enrollment process. The script is executed once devices are successfully registered into the Windows Autopatch service.
- If the device was **successfully registered**, the device shows up in the **Ready** tab.
- If **not**, the device shows up in the **Not ready** tab.
- If the device was **successfully registered**, the device shows up in the **Ready** tab.
- If **not**, the device shows up in the **Not registered** tab.
- Windows OS (build, architecture and edition)
IT admins can easily detect and remediate configuration mismatches in their environments or issues that prevent devices from having one or more software update workloads (Windows quality, feature updates, Microsoft Office, Microsoft Teams, or Microsoft Edge) fully managed by the Windows Autopatch service. Configuration mismatches can leave devices in a vulnerable state, out of compliance and exposed to security threats.
| + +### Device readiness checks available for each scenario + +| Required device readiness (prerequisite checks) prior to device registration (powered by Intune Graph API) | Required post-device registration readiness checks (powered by Microsoft Cloud Managed Desktop Extension) | +| ----- | ----- | +|- Windows OS (build, architecture and edition)
- Windows updates & Office Group Policy Object (GPO) versus Intune mobile device management (MDM) policy conflict
- Bind network endpoints (Microsoft Defender, Microsoft Teams, Microsoft Edge, Microsoft Office)
- Internet connectivity
- Passed the prerequisite checks.
- Registered with Windows Autopatch.
- **Readiness failed status**: Devices that didn’t pass one or more post-device registration readiness checks.
- **Inactive**: Devices that haven’t communicated with the Microsoft Endpoint Manager-Intune service in the last 28 days.
- Once devices are successfully registered with Windows Autopatch, the devices are added to the **Ready** tab.
- The Microsoft Cloud Managed Desktop Extension agent performs readiness checks against devices in the **Ready** tab every 24 hours.
- The Microsoft Cloud Managed Desktop Extension service evaluates the readiness results gathered by its agent.
- The readiness results are sent from the Microsoft Cloud Managed Desktop Extension service component to the Device Readiness component within the Windows Autopatch’s service.
- The **Microsoft Cloud Managed Desktop Extension** agent collects device readiness statuses when it runs (once a day).
- Once the agent collects results for the post-device registration readiness checks, it generates readiness results in the device in the `%programdata%\Microsoft\CMDExtension\Plugins\DeviceReadinessPlugin\Logs\DRCResults.json.log`.
- The readiness results are sent over to the **Microsoft Cloud Managed Desktop Extension service**.
- The **Microsoft Cloud Managed Desktop Extension** service component sends the readiness results to the Device Readiness component. The results appear in the Windows Autopatch Devices blade (**Not ready** tab).
Once devices are remediated, it can take up to **24 hours** to show up in the **Ready** tab.
| + +## Additional resources + +- [Device registration overview](windows-autopatch-device-registration-overview.md) +- [Register your devices](windows-autopatch-register-devices.md) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fb3df8f46b..ddd32f7d97 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/08/2022 +ms.date: 09/07/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -28,7 +28,13 @@ Windows Autopatch can take over software update management control of devices th ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by adding them to the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can be added using the following methods: + +- Direct membership +- Nesting other Azure AD dynamic/assigned groups +- [Bulk add/import group members](/azure/active-directory/enterprise-users/groups-bulk-import-members) + +Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. @@ -78,14 +84,26 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). -## About the Ready and Not ready tabs +## About the Ready, Not ready and Not registered tabs -Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices. +Windows Autopatch has three tabs within its device blade. Each tab is designed to provide a different set of device readiness status so IT admin knows where to go to monitor, and troubleshoot potential device health issues. -| Tab | Purpose | -| ----- | ----- | -| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. | -| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. | +| Device blade tab | Purpose | Expected device readiness status | +| ----- | ----- | ----- | +| Ready | The purpose of this tab is to show devices that were successfully registered with the Windows Autopatch service. | Active | +| Not ready | The purpose of this tab is to help you identify and remediate devices that failed to pass one or more post-device registration readiness checks. Devices showing up in this tab were successfully registered with Windows Autopatch. However, these devices aren't ready to have one or more software update workloads managed by the service. | Readiness failed and/or Inactive | +| Not registered | The purpose of this tab is to help you identify and remediate devices that don't meet one or more prerequisite checks to successfully register with the Windows Autopatch service. | Pre-requisites failed | + +## Device readiness statuses + +See all possible device readiness statuses in Windows Autopatch: + +| Readiness status | Description | Device blade tab | +| ----- | ----- | ----- | +| Active | Devices with this status successfully passed all prerequisite checks and subsequently successfully registered with Windows Autopatch. Additionally, devices with this status successfully passed all post-device registration readiness checks. | Ready | +| Readiness failed | Devices with this status haven't passed one or more post-device registration readiness checks. These devices aren't ready to have one or more software update workloads managed by Windows Autopatch. | Not ready | +| Inactive | Devices with this status haven't communicated with Microsoft Endpoint Manager-Intune in the last 28 days. | Not ready | +| Pre-requisites failed | Devices with this status haven't passed one or more pre-requisite checks and haven't successfully registered with Windows Autopatch | Not registered | ## Built-in roles required for device registration @@ -119,16 +137,16 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Devices** from the left navigation menu. 3. Under the **Windows Autopatch** section, select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Ready** or the **Not registered** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not registered** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. > [!TIP] -> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. +> You can also use the **Discover Devices** button in either one of the **Ready**, **Not ready**, or **Not registered** device blade tabs to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. On demand means you don't have to wait for Windows Autopatch to discover devices from the Azure AD group on your behalf. ### Windows Autopatch on Windows 365 Enterprise Workloads diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 3abdb9288e..f5a8284a8c 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png new file mode 100644 index 0000000000..c6abcd6790 Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-autopatch-post-device-registration-readiness-checks.png differ diff --git a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png index 043e275574..4e347dc3cf 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png and b/windows/deployment/windows-autopatch/media/windows-quality-update-grace-period.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index 15a138fcdf..50e4fd586e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -37,7 +37,7 @@ In this example, we'll be discussing a device in the First ring. The Autopatch s In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience"::: +:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png"::: ### Feature update deadline forces an update @@ -45,7 +45,7 @@ The following example builds on the scenario outlined in the typical user experi The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update"::: +:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png"::: ### Feature update grace period @@ -53,7 +53,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period"::: +:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index 8e6075fd7e..1f19a0fd64 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -46,7 +46,7 @@ The final release schedule is communicated prior to release and may vary a littl | Fast | Release start + 60 days | | Broad | Release start + 90 days | -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline"::: +:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: ## New devices to Windows Autopatch @@ -64,7 +64,7 @@ When releasing a feature update, there are two policies that are configured by t | Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period | | ----- | ----- | ----- | ----- | ----- | | Test | 21H2 | 0 | 5 | 0 | -| First | 21H2 | 0 | 5 | 0 | +| First | 21H2 | 0 | 5 | 2 | | Fast | 21H2 | 0 | 5 | 2 | | Broad | 21H2 | 0 | 5 | 2 | diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md index 2515a08a9a..9fa7e60794 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md @@ -27,3 +27,7 @@ After you've completed enrollment in Windows Autopatch, some management settings | Setting | Description | | ----- | ----- | | Update rings for Windows 10 or later | For any update rings for Windows 10 or later policies you've created, exclude the **Modern Workplace Devices - All** Azure AD group from each policy. For more information, see [Create and assign update rings](/mem/intune/protect/windows-10-update-rings#create-and-assign-update-rings).Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example:
- Modern Workplace Update Policy [Broad]-[Windows Autopatch]
- Modern Workplace Update Policy [Fast]-[Windows Autopatch]
- Modern Workplace Update Policy [First]-[Windows Autopatch]
- Modern Workplace Update Policy [Test]-[Windows Autopatch]
When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created.
**To resolve the Not ready result:**
After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
**To resolve the Advisory result:**
- Make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.
- If you have assigned Azure AD user groups to these policies, make sure that any update ring policies you have also **exclude** the **Modern Workplace - All** Azure AD group that you add your Windows Autopatch users to (or an equivalent group).
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).
| + +## Windows Autopatch configurations + +Windows Autopatch deploys, manages and maintains all configurations related to the operation of the service, as described in [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). Don't make any changes to any of the Windows Autopatch configurations. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index ddefb5977c..d3ef9e518e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -33,7 +33,7 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates, as a All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and are pulled directly from the Office Content Delivery Network (CDN). -Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a three-day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. +Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update has been downloaded, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update. ## Update rings diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 982440f7ea..3169d13cff 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -40,6 +40,9 @@ During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenan Each deployment ring has a different set of update deployment policies to control the updates rollout. +> [!WARNING] +> Adding or importing devices into any of these groups directly is not supported and doing so might cause an unexpected impact on the Windows Autopatch service. To move devices between these groups, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + > [!IMPORTANT] > Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. @@ -58,7 +61,7 @@ The Windows Autopatch deployment ring calculation happens during the [device reg | Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:- **0–500** devices: minimum **one** device.
- **500–5000** devices: minimum **five** devices.
- **5000+** devices: minimum **50** devices.
- **0–500** devices: minimum **one** device.
- **500–5000** devices: minimum **five** devices.
- **5000+** devices: minimum **50** devices.
This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.
Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.
The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.
| | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| @@ -80,7 +83,10 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad > [!NOTE] > You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). - + +> [!WARNING] +> Moving devices between deployment rings through directly changing Azure AD group membership isn't supported and may cause unintended configuration conflicts within the Windows Autopatch service. To avoid service interruption to devices, use the **Assign device to ring** action described previously to move devices between deployment rings. + ## Automated deployment ring remediation functions Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md index 555d20ee68..b83dc059df 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -36,7 +36,7 @@ Once the deferral period has passed, the device will download the update and not In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience"::: +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: ### Quality update deadline forces an update @@ -48,7 +48,7 @@ In the following example, the user: The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update"::: +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: ### Quality update grace period @@ -56,7 +56,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period"::: +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index c7c96c2575..a8da5aeb86 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -50,7 +50,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). -:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: +:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: ## Expedited releases @@ -74,10 +74,6 @@ If we pause the release, a policy will be deployed which prevents devices from u You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager. -## Rollback - -Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md). - ## Incidents and outages If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index cf052fbba4..d8b16b880a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -40,9 +40,9 @@ The update is released to the Test ring on the second Tuesday of the month. Thos ## Device reliability signals -Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. +Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. -The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. @@ -51,8 +51,8 @@ Autopatch monitors the following reliability signals: | Device reliability signal | Description | | ----- | ----- | | Blue screens | These events are highly disruptive to end users so are closely watched. | -| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | -| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 8b42365ad6..df7c2b8966 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -51,7 +51,7 @@ sections: - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.) - question: What are the licensing requirements for Windows Autopatch? answer: | - - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). + - Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). - [Azure AD Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses) (for Co-management) - [Microsoft Intune](/mem/intune/fundamentals/licenses) (includes Configuration Manager 2010 or greater via co-management) - question: Are there hardware requirements for Windows Autopatch? @@ -71,17 +71,21 @@ sections: - question: Can I run Autopatch on my Windows 365 Business Workloads? answer: | No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads). + - question: Can you change the policies and configurations created by Windows Autopatch? + answer: | + No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant). - name: Update Management questions: - question: What systems does Windows Autopatch update? answer: | - Windows 10/11 quality updates: Windows Autopatch manages all aspects of update rings. + - Windows 10/11 feature updates: Windows Autopatch manages all aspects of update rings. - Microsoft 365 Apps for enterprise updates: All devices registered for Windows Autopatch will receive updates from the Monthly Enterprise Channel. - Microsoft Edge: Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel and will provide support for issues with Microsoft Edge updates. - Microsoft Teams: Windows Autopatch allows eligible devices to benefit from the standard automatic update channels and will provide support for issues with Teams updates. - question: What does Windows Autopatch do to ensure updates are done successfully? answer: | - For Windows quality updates, updates are applied to device in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. + For Windows quality updates, updates are applied to devices in the Test ring first. The devices are evaluated, and then rolled out to the First, Fast then Broad rings. There's an evaluation period at each progression. This process is dependent on customer testing and verification of all updates during these rollout stages. The outcome is to ensure that registered devices are always up to date and disruption to business operations is minimized to free up your IT department from that ongoing task. - question: What happens if there's an issue with an update? answer: | Autopatch relies on the following capabilities to help resolve update issues: @@ -98,7 +102,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). + Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index abbe0e525e..0b64d2adfa 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 08/04/2022 +ms.date: 09/16/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -24,12 +24,12 @@ Getting started with Windows Autopatch has been designed to be easy. This articl | Licensing | Windows Autopatch requires Windows 10/11 Enterprise E3 (or higher) to be assigned to your users. Additionally, Azure Active Directory Premium and Microsoft Intune are required. For details about the specific service plans, see [more about licenses](#more-about-licenses).
For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans).
For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). | | Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network.
For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join.
- For more information, see [Azure Active Directory Connect](/azure/active-directory/hybrid/whatis-azure-ad-connect) and [Hybrid Azure Active Directory join](/azure/active-directory/devices/howto-hybrid-azure-ad-join)
- For more information on supported Azure Active Directory Connect versions, see [Azure AD Connect:Version release history](/azure/active-directory/hybrid/reference-connect-version-history).
At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below.
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager Co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview).
| +| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see [co-management requirements for Windows Autopatch](#configuration-manager-co-management-requirements).
Other device management prerequisites include:
- Devices must be corporate-owned. Windows bring-your-own-devices (BYOD) are blocked during device registration prerequisite checks.
- Devices must be managed by either Intune or Configuration Manager co-management. Devices only managed by Configuration Manager aren't supported.
- Devices must be in communication with Microsoft Intune in the **last 28 days**. Otherwise, the devices won't be registered with Autopatch.
- Devices must be connected to the internet.
- Devices must have a **Serial number**, **Model** and **Manufacturer**. Device emulators that don't generate this information fail to meet **Intune or Cloud-attached** prerequisite check.
See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device prerequisites and on how the device registration process works.
For more information on co-management, see [co-management for Windows devices](/mem/configmgr/comanage/overview).
| | Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). | ## More about licenses -Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch: +Windows Autopatch is included with Window 10/11 Enterprise E3 or higher (user-based only). The following are the service plan SKUs that are eligible for Windows Autopatch: | License | ID | GUID number | | ----- | ----- | ------| @@ -45,13 +45,13 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations -## Configuration Manager Co-management requirements +## Configuration Manager co-management requirements Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: - - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. +- ConfigMgr must be [cloud-attached with Intune (co-management)](/mem/configmgr/cloud-attach/overview) and must have the following co-management workloads enabled: + - Set the [Windows Update policies workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index ab4daa7fe2..698612aa82 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -14,6 +14,11 @@ msreviewer: hathind # Changes made at tenant enrollment +The following configuration details are provided as information to help you understand the changes made to your tenant when enrolling into the Windows Autopatch service. + +> [!IMPORTANT] +> The service manages and maintains the following configuration items. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. + ## Service principal Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: @@ -29,10 +34,10 @@ Windows Autopatch will create Azure Active Directory groups that are required to | Modern Workplace-All | All Modern Workplace users | | Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | | Modern Workplace Devices-All | All Modern Workplace devices | -| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | -| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | -| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | -| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices-Windows Autopatch-Test | Deployment ring for testing update deployments prior production rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production deployment ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast deployment ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final deployment ring for broad rollout into the organization | | Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10Group Rule:
- `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
- `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`
Exclusions:
- Modern Workplace - Telemetry Settings for Windows 11
Group Rule:
- `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
- `(device.deviceOSVersion -startsWith \"10.0.22000\")`
Exclusions:
- Modern Workplace - Telemetry Settings for Windows 10
-Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication - and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site! -
-The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later - and latest versions of other browsers. -
-Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users. - Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE - without having to deal with the interaction and management overhead. -This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging. - -#### Where can developers learn more? - -The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn) diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index ebbea60361..c2527f8e0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -15,6 +15,7 @@ manager: aaroncz appliesto: - ✅ Windows 10 - ✅ Windows 11 +- ✅ Windows Holographic for Business --- # Windows Hello biometrics in the enterprise @@ -27,61 +28,71 @@ Windows Hello is the biometric authentication feature that helps strengthen auth Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization. ## How does Windows Hello work? -Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. + +Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials. The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device. ## Why should I let my employees use Windows Hello? + Windows Hello provides many benefits, including: -- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. +- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge. -- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! +- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords! -- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. +- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. ## Where is Windows Hello data stored? + The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor. > [!NOTE] >Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file. ## Has Microsoft set any device requirements for Windows Hello? + We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements: -- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. +- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm. -- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. +- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection. ### Fingerprint sensor requirements -To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). + +To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required). **Acceptable performance range for small to large size touch sensors** -- False Accept Rate (FAR): <0.001 – 0.002% +- False Accept Rate (FAR): <0.001 – 0.002% -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% **Acceptable performance range for swipe sensors** -- False Accept Rate (FAR): <0.002% +- False Accept Rate (FAR): <0.002% -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% ### Facial recognition sensors + To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional). -- False Accept Rate (FAR): <0.001% +- False Accept Rate (FAR): <0.001% -- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% +- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5% -- Effective, real world FRR with Anti-spoofing or liveness detection: <10% +- Effective, real world FRR with Anti-spoofing or liveness detection: <10% > [!NOTE] ->Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock you device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint. +### Iris recognition sensor requirements + +To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K. ## Related topics + - [Windows Hello for Business](hello-identity-verification.md) - [How Windows Hello for Business works](hello-how-it-works.md) - [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) @@ -90,12 +101,3 @@ To allow facial recognition, you must have devices with integrated special infra - [Windows Hello and password changes](hello-and-password-changes.md) - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) - [Event ID 300 - Windows Hello successfully created](hello-event-300.md) - - - - - - - - - diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 0f2c45e2f0..00e6171863 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -35,7 +35,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme - Multi-factor Authentication is required during Windows Hello for Business provisioning - Proper name resolution, both internal and external names - Active Directory and an adequate number of domain controllers per site to support authentication -- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments) +- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud Kerberos trust deployments) - One or more workstation computers running Windows 10, version 1703 or later If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. @@ -44,23 +44,23 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key Trust*, *Certificate Trust*, and *cloud Kerberos trust*. On-premises deployment models only support *Key Trust* and *Certificate Trust*. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. The trust model determines how you want users to authenticate to the on-premises Active Directory: - The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates. -- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it. +- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using **cloud Kerberos trust** instead of **Key Trust** if the clients in your enterprise support it. - The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today. - The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers. > [!Note] -> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> RDP does not support authentication with Windows Hello for Business Key Trust or cloud Kerberos trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business Key Trust and cloud Kerberos trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). Following are the various deployment guides and models included in this topic: -- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md) +- [Hybrid Azure AD Joined cloud Kerberos trust Deployment](hello-hybrid-cloud-kerberos-trust.md) - [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md) - [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md) - [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d995550c13..3a4f97b0d0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -69,9 +69,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| - - +| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.| ## Errors with unknown mitigation @@ -100,6 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance. | 0x801C03F1 | There is no UPN in the token. | | 0x801C044C | There is no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. | +| 0xCAA30193 | HTTP 403 Request Forbidden: it means request left the device, however either Server, proxy or firewall generated this response. | ## Related topics diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 5900a1444c..88115dc1cb 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -29,9 +29,9 @@ sections: - name: Ignored questions: - - question: What is Windows Hello for Business cloud trust? + - question: What is Windows Hello for Business cloud Kerberos trust? answer: | - Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust). + Windows Hello for Business cloud Kerberos trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid cloud Kerberos trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust). - question: What about virtual smart cards? @@ -84,7 +84,7 @@ sections: - question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera? answer: | - Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). + Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors). - question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked? answer: | @@ -155,7 +155,7 @@ sections: - question: Where is Windows Hello biometrics data stored? answer: | - When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn’t roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). + When you enroll in Windows Hello, a representation of your face called an enrollment profile is created more information can be found on [Windows Hello face authentication](/windows-hardware/design/device-experiences/windows-hello-face-authentication). This enrollment profile biometrics data is device specific, is stored locally on the device, and does not leave the device or roam with the user. Some external fingerprint sensors store biometric data on the fingerprint module itself rather than on Windows device. Even in this case, the biometrics data is stored locally on those modules, is device specific, doesn't roam, never leaves the module, and is never sent to Microsoft cloud or external server. For more details see [Windows Hello biometrics in the enterprise](/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise#where-is-windows-hello-data-stored). - question: What is the format used to store Windows Hello biometrics data on the device? answer: | @@ -261,5 +261,4 @@ sections: - question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients? answer: | - No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD. - + No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 435fe6109b..9b9e87b305 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -96,8 +96,8 @@ Using Group Policy, Microsoft Intune or a compatible MDM solution, you can confi |--- |--- |--- | |**Functionality**|The user's existing PIN and underlying credentials, including any keys or certificates added to their Windows Hello container, will be deleted from the client and a new logon key and PIN are provisioned.|You must deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature. For more information on how to deploy the Microsoft PIN reset service and client policy, see [Connect Azure Active Directory with the PIN reset service](#connect-azure-active-directory-with-the-pin-reset-service). During a non-destructive PIN reset, the user's Windows Hello for Business container and keys are preserved, but the user's PIN that they use to authorize key usage is changed.| |**Windows editions and versions**|Reset from settings - Windows 10, version 1703 or later, Windows 11. Reset above Lock - Windows 10, version 1709 or later, Windows 11.|Windows 10, version 1709 to 1809, Enterprise Edition. There is no licensing requirement for this feature since version 1903. Enterprise Edition and Pro edition with Windows 10, version 1903 and newer Windows 11.| -|**Azure Active Directory Joined**|Cert Trust, Key Trust, and Cloud Trust|Cert Trust, Key Trust, and Cloud Trust| -|**Hybrid Azure Active Directory Joined**|Cert Trust and Cloud Trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and Cloud Trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| +|**Azure Active Directory Joined**|Cert Trust, Key Trust, and cloud Kerberos trust|Cert Trust, Key Trust, and cloud Kerberos trust| +|**Hybrid Azure Active Directory Joined**|Cert Trust and cloud Kerberos trust for both settings and above the lock support destructive PIN reset. Key Trust doesn't support this from above the lock screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. It does support from the settings page and the users must have a corporate network connectivity to the DC. |Cert Trust, Key Trust, and cloud Kerberos trust for both settings and above the lock support non-destructive PIN reset. No network connection is required for the DC.| |**On Premises**|If ADFS is being used for on premises deployments, users must have a corporate network connectivity to federation services. |The PIN reset service relies on Azure Active Directory identities, so it is only available for Hybrid Azure Active Directory Joined and Azure Active Directory Joined devices.| |**Additional Configuration required**|Supported by default and doesn't require configuration|Deploy the Microsoft PIN reset service and client policy to enable the PIN recovery feature On-board the Microsoft PIN reset service to respective Azure Active Directory tenant Configure Windows devices to use PIN reset using Group *Policy\MDM*.| |**MSA/Enterprise**|MSA and Enterprise|Enterprise only.| diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 909df0b77b..ffaec80712 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -21,10 +21,10 @@ Windows Hello for Business authentication is passwordless, two-factor authentica Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background. - [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory) -- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview) +- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-kerberos-trust) - [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key) - [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate) -- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview) +- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust) - [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key) - [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate) @@ -43,7 +43,7 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview) +## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud Kerberos trust)  @@ -78,13 +78,13 @@ Azure Active Directory-joined devices authenticate to Azure during sign-in and c > [!NOTE] > You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. -## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview) +## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust)  | Phase | Description | | :----: | :----------- | -|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. +|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud Kerberos trust is enabled. If cloud Kerberos trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce. |B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD. |C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP. |D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT. diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 7d93ef16b8..6ebf241107 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -26,7 +26,7 @@ List of provisioning flows: - [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment) - [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment) -- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment) +- [Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-kerberos-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment) - [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment) - [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment) @@ -62,9 +62,9 @@ List of provisioning flows: [Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment +## Hybrid Azure AD joined provisioning in a cloud Kerberos trust deployment in a managed environment - + [Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png) | Phase | Description | @@ -74,7 +74,7 @@ List of provisioning flows: | C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. | > [!NOTE] -> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. +> Windows Hello for Business cloud Kerberos trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential. [Return to top](#windows-hello-for-business-provisioning) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md similarity index 54% rename from windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md rename to windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 8765cbc8c3..b953d1d21e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -1,6 +1,6 @@ --- -title: Hybrid Cloud Trust Deployment (Windows Hello for Business) -description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +title: Hybrid cloud Kerberos trust Deployment (Windows Hello for Business) +description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. ms.prod: m365-security author: paolomatarazzo ms.author: paoloma @@ -11,61 +11,68 @@ ms.topic: article localizationpriority: medium ms.date: 2/15/2022 appliesto: -- ✅ Windows 10 21H2 and later +- ✅ Windows 10, version 21H2 and later - ✅ Windows 11 +- ✅ Hybrid deployment +- ✅ Cloud Kerberos trust --- -# Hybrid Cloud Trust Deployment (Preview) +# Hybrid Cloud Kerberos Trust Deployment (Preview) -Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud Kerberos trust scenario. -## Introduction to Cloud Trust +## Introduction to Cloud Kerberos Trust -The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. +The goal of the Windows Hello for Business cloud Kerberos trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls. -Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: +Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model: -- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI. -- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate. -- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup. +- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI +- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate +- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup > [!NOTE] -> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. +> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios. -## Azure Active Directory Kerberos and Cloud Trust Authentication +## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication -Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. +Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. cloud Kerberos trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT. With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs. When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object. -More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). +More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). -If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. ## Prerequisites | Requirement | Notes | | --- | --- | | Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. | -| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | +| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. | | Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. | | Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).| -| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | +| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. | ### Unsupported Scenarios -The following scenarios aren't supported using Windows Hello for Business cloud trust: +The following scenarios aren't supported using Windows Hello for Business cloud Kerberos trust: - On-premises only deployments - RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container) - Scenarios that require a certificate for authentication -- Using cloud trust for "Run as" -- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +- Using cloud Kerberos trust for "Run as" +- Signing in with cloud Kerberos trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity + +> [!NOTE] +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys. +> +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\
- Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name
- Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*
- OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\
*`/Policies/UseCloudTrustForOnPremAuth`** - Data type: **Boolean**
- Value: **True**
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate trust
Mixed managed | Certificate trust
Modern managed | +| Requirement | cloud Kerberos trust
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate Trust
Mixed managed | Certificate Trust
Modern managed | | --- | --- | --- | --- | --- | | **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | | **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | | **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later | | **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | Windows Server 2012 or later Network Device Enrollment Service | +| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients managed by Group Policy),
and
Windows Server 2012 or later Network Device Enrollment Service (hybrid Azure AD joined & Azure AD joined managed by MDM) | Windows Server 2012 or later Network Device Enrollment Service | | **MFA Requirement** | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | | **Azure AD Connect** | N/A | Required | Required | Required | | **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required | > [!Important] -> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models. +> - Hybrid deployments support non-destructive PIN reset that works with Certificate Trust, Key Trust and cloud Kerberos trust models. > > **Requirements:** > - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 6a355853aa..6efd13da5a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -14,6 +14,7 @@ localizationpriority: medium appliesto: - ✅ Windows 10 - ✅ Windows 11 +- ✅ Windows Holographic for Business --- # Windows Hello for Business Overview @@ -46,6 +47,7 @@ As an administrator in an enterprise or educational organization, you can create - **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well. - **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards. +- **Iris Recognition**. This type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner. These iris scanners are the same across all HoloLens 2 devices. Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md). @@ -94,9 +96,9 @@ For details, see [How Windows Hello for Business works](hello-how-it-works.md). ## Comparing key-based and certificate-based authentication -Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud trust for hybrid deployments, which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. +Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that don't use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This functionality still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 version 21H2, there's a feature called cloud Kerberos trust for hybrid deployments, which uses Azure AD as the root of trust. cloud Kerberos trust uses key-based credentials for Windows Hello but doesn't require certificates on the domain controller. -Windows Hello for Business with a key, including cloud trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +Windows Hello for Business with a key, including cloud Kerberos trust, doesn't support supplied credentials for RDP. RDP doesn't support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). ## Learn more diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c1dc768999..32137c8e75 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -93,7 +93,7 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. > [!NOTE] -> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. +> Windows Hello for Business introduced a new trust model called cloud Kerberos trust, in early 2022. This model enables deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see ./hello-hybrid-cloud-kerberos-trust.md. The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png new file mode 100644 index 0000000000..49639cefcf Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png differ diff --git a/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png new file mode 100644 index 0000000000..97ca13f648 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/webauthn-apis/webauthn-apis-fido2-overview.png differ diff --git a/windows/security/identity-protection/hello-for-business/index.yml b/windows/security/identity-protection/hello-for-business/index.yml index bdd841ab2c..3907b4b422 100644 --- a/windows/security/identity-protection/hello-for-business/index.yml +++ b/windows/security/identity-protection/hello-for-business/index.yml @@ -65,6 +65,8 @@ landingContent: url: hello-identity-verification.md - linkListType: how-to-guide links: + - text: Hybrid Cloud Kerberos Trust Deployment + url: hello-hybrid-cloud-kerberos-trust.md - text: Hybrid Azure AD Joined Key Trust Deployment url: hello-hybrid-key-trust.md - text: Hybrid Azure AD Joined Certificate Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 1e3bd031b3..2c22050ab0 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -21,6 +21,8 @@ href: hello-how-it-works-provisioning.md - name: Authentication href: hello-how-it-works-authentication.md + - name: WebAuthn APIs + href: webauthn-apis.md - name: How-to Guides items: - name: Windows Hello for Business Deployment Overview @@ -33,8 +35,8 @@ href: hello-prepare-people-to-use.md - name: Deployment Guides items: - - name: Hybrid Cloud Trust Deployment - href: hello-hybrid-cloud-trust.md + - name: Hybrid Cloud Kerberos Trust Deployment + href: hello-hybrid-cloud-kerberos-trust.md - name: Hybrid Azure AD Joined Key Trust items: - name: Hybrid Azure AD Joined Key Trust Deployment diff --git a/windows/security/identity-protection/hello-for-business/webauthn-apis.md b/windows/security/identity-protection/hello-for-business/webauthn-apis.md new file mode 100644 index 0000000000..26654a00e4 --- /dev/null +++ b/windows/security/identity-protection/hello-for-business/webauthn-apis.md @@ -0,0 +1,124 @@ +--- +title: WebAuthn APIs +description: Learn how to use WebAuthn APIs to enable passwordless authentication for your sites and apps. +ms.prod: m365-security +author: paolomatarazzo +ms.author: paoloma +manager: aaroncz +ms.reviewer: prsriva +ms.collection: M365-identity-device-management +ms.topic: article +localizationpriority: medium +ms.date: 09/15/2022 +appliesto: +- ✅ Windows 10 +- ✅ Windows 11 +--- +# WebAuthn APIs for passwordless authentication on Windows + +Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users. + +Microsoft has long been a proponent of passwordless authentication, and has introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903). + +Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms. + +## What does this mean? + +By using WebAuthn APIs, developer partners and the developer community can use [Windows Hello](./index.yml) or [FIDO2 Security Keys](./microsoft-compatible-security-key.md) to implement passwordless multi-factor authentication for their applications on Windows devices. + +Users of these apps or sites can use any browser that supports WebAuthn APIs for passwordless authentication. Users will have a familiar and consistent experience on Windows, no matter which browser they use. + +Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead. + +> [!NOTE] +> When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging. + +## The big picture + +The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators). + +The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally. + +After these client-specific keys are created, clients can request attestations for registration and authentication. The type of signature that the private key uses reflects the user gesture that was made. + +The following diagram shows how CTAP and WebAuthn interact. The light blue dotted arrows represent interactions that depend on the specific implementation of the platform APIs. + +:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview.png" alt-text="The diagram shows how the WebAuthn API interacts with the relying parties and the CTAPI2 API."::: + +*Relationships of the components that participate in passwordless authentication* + +A combined WebAuthn/CTAP2 dance includes the following cast of characters: + +- **Client device**. The *client device* is the hardware that hosts a given strong authentication. Laptops and phones are examples of client devices. + +- **Relying parties and clients**. *Relying parties* are web or native applications that consume strong credentials. The relying parties run on client devices. + + - As a relying party, a native application can also act as a WebAuthn client to make direct WebAuthn calls. + + - As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser. + + > [!NOTE] + > The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties. + +- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on. + +- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions shown in the preceding diagram may differ. + +- **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators. + +- **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols. + +Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile application. + +## Interoperability + +Before WebAuthn and CTAP2, there were U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality. + +FIDO2 authenticators have already been implemented and WebAuthn relying parties might require the following optional features: + +- Keys for multiple accounts (keys can be stored per relying party) +- Client PIN +- Location (the authenticator returns a location) +- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios) + +The following options might be useful in the future, but haven't been observed in the wild yet: + +- Transactional approval +- User verification index (servers can determine whether biometric data that's stored locally has changed over time) +- User verification method (the authenticator returns the exact method) +- Biometric performance bounds (the relying party can specify acceptable false acceptance and false rejection rates) + +## Microsoft implementation + +The Microsoft FIDO2 implementation has been years in the making. Software and services are implemented independently as standards-compliant entities. As of the Windows 10, version 1809 (October 2018) release, all Microsoft components use the latest WebAuthn Candidate Release. It's a stable release that's not expected to normatively change before the specification is finally ratified. Because Microsoft is among the first in the world to deploy FIDO2, some combinations of popular non-Microsoft components won't be interoperable yet. + +Here's an approximate layout of where the Microsoft bits go: + +:::image type="content" source="images/webauthn-apis/webauthn-apis-fido2-overview-microsoft-version.png" alt-text="The diagram shows how the WebAuthn API interacts with the Microsoft relying parties and the CTAPI2 API."::: + +*Microsoft's implementation of WebAuthn and CATP2 APIs* + +- **WebAuthn relying party: Microsoft Account**. If you aren't familiar with Microsoft Account, it's the sign-in service for Xbox, Outlook, and many other sites. The sign-in experience uses client-side JavaScript to trigger Microsoft Edge to talk to the WebAuthn APIs. Microsoft Account requires that authenticators have the following characteristics: + + - Keys are stored locally on the authenticator and not on a remote server + - Offline scenarios work (enabled by using HMAC) + - Users can put keys for multiple user accounts on the same authenticator + - If it's necessary, authenticators can use a client PIN to unlock a TPM + > [!IMPORTANT] + > Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials. + +- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn. + + > [!NOTE] + > For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication). + +- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs. + +- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs. + +## Developer references + +The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications: + +- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec. +- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication. diff --git a/windows/security/images/icons/accessibility.svg b/windows/security/images/icons/accessibility.svg new file mode 100644 index 0000000000..21a6b4f235 --- /dev/null +++ b/windows/security/images/icons/accessibility.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/group-policy.svg b/windows/security/images/icons/group-policy.svg new file mode 100644 index 0000000000..ace95add6b --- /dev/null +++ b/windows/security/images/icons/group-policy.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/intune.svg b/windows/security/images/icons/intune.svg new file mode 100644 index 0000000000..6e0d938aed --- /dev/null +++ b/windows/security/images/icons/intune.svg @@ -0,0 +1,24 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/powershell.svg b/windows/security/images/icons/powershell.svg new file mode 100644 index 0000000000..ab2d5152ca --- /dev/null +++ b/windows/security/images/icons/powershell.svg @@ -0,0 +1,20 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/provisioning-package.svg b/windows/security/images/icons/provisioning-package.svg new file mode 100644 index 0000000000..dbbad7d780 --- /dev/null +++ b/windows/security/images/icons/provisioning-package.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/registry.svg b/windows/security/images/icons/registry.svg new file mode 100644 index 0000000000..06ab4c09d7 --- /dev/null +++ b/windows/security/images/icons/registry.svg @@ -0,0 +1,22 @@ + \ No newline at end of file diff --git a/windows/security/images/icons/windows-os.svg b/windows/security/images/icons/windows-os.svg new file mode 100644 index 0000000000..da64baf975 --- /dev/null +++ b/windows/security/images/icons/windows-os.svg @@ -0,0 +1,3 @@ + \ No newline at end of file diff --git a/windows/security/index.yml b/windows/security/index.yml index 2fedb0e205..c8868f61f1 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -133,13 +133,13 @@ landingContent: - linkListType: concept links: - text: Mobile device management - url: https://docs.microsoft.com/windows/client-management/mdm/ + url: /windows/client-management/mdm/ - text: Azure Active Directory url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory - text: Your Microsoft Account url: identity-protection/access-control/microsoft-accounts.md - text: OneDrive - url: https://docs.microsoft.com/onedrive/onedrive + url: /onedrive/onedrive - text: Family safety url: threat-protection/windows-defender-security-center/wdsc-family-options.md # Cards and links should be based on top customer tasks or top subjects @@ -170,4 +170,3 @@ landingContent: links: - text: Windows and Privacy Compliance url: /windows/privacy/windows-10-and-privacy-compliance - diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index 7c87a7eecd..50d55f1b6b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,12 +1,13 @@ --- -title: BitLocker recovery guide (Windows 10) -description: This article for IT professionals describes how to recover BitLocker keys from AD DS. -ms.reviewer: -ms.prod: m365-security +title: BitLocker recovery guide +description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). +ms.prod: windows-client +ms.technology: itpro-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz ms.collection: - M365-security-compliance - highpri @@ -21,11 +22,11 @@ ms.custom: bitlocker - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later -This article for IT professionals describes how to recover BitLocker keys from AD DS. +This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). -Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. +Organizations can use BitLocker recovery information saved in AD DS to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended. This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS. @@ -45,7 +46,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive: -- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout. +- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout. - On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised. - Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD. - Failing to boot from a network drive before booting from the hard drive. @@ -280,8 +281,16 @@ This error might occur if you updated the firmware. As a best practice, you shou ## Windows RE and BitLocker Device Encryption -Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLocker–protected drives. +Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally. + +The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available. + +To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. +To activate the on-screen keyboard, tap on a text input control. + +:::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated."::: ## BitLocker recovery screen diff --git a/windows/security/information-protection/bitlocker/images/bl-narrator.png b/windows/security/information-protection/bitlocker/images/bl-narrator.png new file mode 100644 index 0000000000..223d0bc3b6 Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/bl-narrator.png differ diff --git a/windows/security/information-protection/images/pluton/pluton-firmware-load.png b/windows/security/information-protection/images/pluton/pluton-firmware-load.png new file mode 100644 index 0000000000..28dee91260 Binary files /dev/null and b/windows/security/information-protection/images/pluton/pluton-firmware-load.png differ diff --git a/windows/security/information-protection/images/pluton/pluton-security-architecture.png b/windows/security/information-protection/images/pluton/pluton-security-architecture.png new file mode 100644 index 0000000000..adab20b080 Binary files /dev/null and b/windows/security/information-protection/images/pluton/pluton-security-architecture.png differ diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md new file mode 100644 index 0000000000..0151546bcc --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md @@ -0,0 +1,124 @@ +--- +title: Configure Personal Data Encryption (PDE) in Intune +description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune + +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 09/22/2022 +--- + + + +# Configure Personal Data Encryption (PDE) policies in Intune + +## Required prerequisites + +### Enable Personal Data Encryption (PDE) + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Templates** +6. Under **Template name**, select **Custom**, and then select **Create** +7. On the ****Basics** tab: + 1. Next to **Name**, enter **Personal Data Encryption** + 2. Next to **Description**, enter a description +8. Select **Next** +9. On the **Configuration settings** tab, select **Add** +10. In the **Add Row** window: + 1. Next to **Name**, enter **Personal Data Encryption** + 2. Next to **Description**, enter a description + 3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** + 4. Next to **Data type**, select **Integer** + 5. Next to **Value**, enter in **1** +11. Select **Save**, and then select **Next** +12. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the PDE policy should be deployed to + 3. Select **Select** + 4. Select **Next** +13. On the **Applicability Rules** tab, configure if necessary and then select **Next** +14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +#### Disable Winlogon automatic restart sign-on (ARSO) + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Templates** +6. Under **Template name**, select **Administrative templates**, and then select **Create** +7. On the ****Basics** tab: + 1. Next to **Name**, enter **Disable ARSO** + 2. Next to **Description**, enter a description +8. Select **Next** +9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options** +10. Select **Sign-in and lock last interactive user automatically after a restart** +11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** +12. Select **Next** +13. On the **Scope tags** tab, configure if necessary and then select **Next** +12. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the ARSO policy should be deployed to + 3. Select **Select** + 4. Select **Next** +13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +## Recommended prerequisites + +#### Disable crash dumps + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Settings catalog**, and then select **Create** +6. On the ****Basics** tab: + 1. Next to **Name**, enter **Disable Hibernation** + 2. Next to **Description**, enter a description +7. Select **Next** +8. On the **Configuration settings** tab, select **Add settings** +9. In the **Settings picker** windows, select **Memory Dump** +10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window +11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next** +12. On the **Scope tags** tab, configure if necessary and then select **Next** +13. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the crash dumps policy should be deployed to + 3. Select **Select** + 4. Select **Next** +14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +#### Disable hibernation + +1. Sign into the Intune +2. Navigate to **Devices** > **Configuration Profiles** +3. Select **Create profile** +4. Under **Platform**, select **Windows 10 and later** +5. Under **Profile type**, select **Settings catalog**, and then select **Create** +6. On the ****Basics** tab: + 1. Next to **Name**, enter **Disable Hibernation** + 2. Next to **Description**, enter a description +7. Select **Next** +8. On the **Configuration settings** tab, select **Add settings** +9. In the **Settings picker** windows, select **Power** +10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window +11. Change **Allow Hibernate** to **Block**, and then select **Next** +12. On the **Scope tags** tab, configure if necessary and then select **Next** +13. On the **Assignments** tab: + 1. Under **Included groups**, select **Add groups** + 2. Select the groups that the hibernation policy should be deployed to + 3. Select **Select** + 4. Select **Next** +14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create** + +## See also +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) \ No newline at end of file diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/information-protection/personal-data-encryption/faq-pde.yml new file mode 100644 index 0000000000..744161659e --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/faq-pde.yml @@ -0,0 +1,74 @@ +### YamlMime:FAQ + +metadata: + title: Frequently asked questions for Personal Data Encryption (PDE) + description: Answers to common questions regarding Personal Data Encryption (PDE). + author: frankroj + ms.author: frankroj + ms.reviewer: rafals + manager: aaroncz + ms.topic: faq + ms.prod: windows-client + ms.technology: itpro-security + ms.localizationpriority: medium + ms.date: 09/22/2022 + +title: Frequently asked questions for Personal Data Encryption (PDE) +summary: | + Here are some answers to common questions regarding Personal Data Encryption (PDE) + +sections: + - name: Single section - ignored + questions: + - question: Can PDE encrypt entire volumes or drives? + answer: | + No. PDE only encrypts specified files. + + - question: Is PDE a replacement for BitLocker? + answer: | + No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security. + + - question: Can an IT admin specify which files should be encrypted? + answer: | + Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + + - question: Do I need to use OneDrive as my backup provider? + answer: | + No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider. + + - question: What is the relation between Windows Hello for Business and PDE? + answer: | + During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files. + + - question: Can a file be encrypted with both PDE and EFS at the same time? + answer: | + No. PDE and EFS are mutually exclusive. + + - question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)? + answer: | + No. Accessing PDE encrypted files over RDP isn't currently supported. + + - question: Can PDE encrypted files be access via a network share? + answer: | + No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials. + + - question: How can it be determined if a file is encrypted with PDE? + answer: | + Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file. + + - question: Can users manually encrypt and decrypt files with PDE? + answer: | + Currently users can decrypt files manually but they can't encrypt files manually. + + - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files? + answer: | + No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics. + + - question: What encryption method and strength does PDE use? + answer: | + PDE uses AES-CBC with a 256-bit key to encrypt files + +additionalContent: | + ## See also + - [Personal Data Encryption (PDE)](overview-pde.md) + - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) \ No newline at end of file diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md new file mode 100644 index 0000000000..7ca7334657 --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/includes/pde-description.md @@ -0,0 +1,27 @@ +--- +title: Personal Data Encryption (PDE) description +description: Personal Data Encryption (PDE) description include file + +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 09/22/2022 +--- + + + +Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. + +PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. + +PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features. + +Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked. + +> [!NOTE] +> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE. diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/information-protection/personal-data-encryption/overview-pde.md new file mode 100644 index 0000000000..fb78dc475b --- /dev/null +++ b/windows/security/information-protection/personal-data-encryption/overview-pde.md @@ -0,0 +1,140 @@ +--- +title: Personal Data Encryption (PDE) +description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot. + +author: frankroj +ms.author: frankroj +ms.reviewer: rafals +manager: aaroncz +ms.topic: how-to +ms.prod: windows-client +ms.technology: itpro-security +ms.localizationpriority: medium +ms.date: 09/22/2022 +--- + + + +# Personal Data Encryption (PDE) + +(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*) + +[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)] + +## Prerequisites + +### **Required** + - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) + - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md) + - Windows 11, version 22H2 and later Enterprise and Education editions + +### **Not supported with PDE** + - [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md) + - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) + - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)). + - [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) + - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) + - Remote Desktop connections + +### **Highly recommended** + - [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled + - Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it. + - Backup solution such as [OneDrive](/onedrive/onedrive) + - In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup. + - [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) + - Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. + - [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security) + - Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN + - [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump) + - Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps). + - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) + - Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation). + +## PDE protection levels + +PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). + +| Item | Level 1 | Level 2 | +|---|---|---| +| Data is accessible when user is signed in | Yes | Yes | +| Data is accessible when user has locked their device | Yes | No | +| Data is accessible after user signs out | No | No | +| Data is accessible when device is shut down | No | No | +| Decryption keys discarded | After user signs out | After user locks device or signs out | + +## PDE encrypted files accessibility + +When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file. + +Scenarios where a user will be denied access to a PDE encrypted file include: + +- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN. +- If specified via level 2 protection, when the device is locked. +- When trying to access files on the device remotely. For example, UNC network paths. +- Remote Desktop sessions. +- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files. + +## How to enable PDE + +To enable PDE on devices, push an MDM policy to the devices with the following parameters: + +- Name: **Personal Data Encryption** +- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption** +- Data type: **Integer** +- Value: **1** + +There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it. + +> [!NOTE] +> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled. + +For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde). + +## Differences between PDE and BitLocker + +| Item | PDE | BitLocker | +|--|--|--| +| Release of key | At user sign-in via Windows Hello for Business | At boot | +| Keys discarded | At user sign-out | At reboot | +| Files encrypted | Individual specified files | Entire volume/drive | +| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in | +| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features | + +## Differences between PDE and EFS + +The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files. + +To see if a file is encrypted with PDE or EFS: + +1. Open the properties of the file +2. Under the **General** tab, select **Advanced...** +3. In the **Advanced Attributes** windows, select **Details** + +For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**. + +For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**. + +Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command. + +## Disable PDE and decrypt files + +Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps: + +1. Open the properties of the file +2. Under the **General** tab, select **Advanced...** +3. Uncheck the option **Encrypt contents to secure data** +4. Select **OK**, and then **OK** again + +> [!Important] +> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again. + +## Windows out of box applications that support PDE + +Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE. + +- Mail + - Supports encrypting both email bodies and attachments + +## See also +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) +- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) diff --git a/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md new file mode 100644 index 0000000000..b96b652981 --- /dev/null +++ b/windows/security/information-protection/pluton/microsoft-pluton-security-processor.md @@ -0,0 +1,52 @@ +--- +title: Microsoft Pluton security processor +description: Learn more about Microsoft Pluton security processor +ms.reviewer: +ms.prod: m365-security +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz +ms.localizationpriority: medium +ms.collection: + - M365-security-compliance +ms.topic: conceptual +ms.date: 09/15/2022 +appliesto: +- ✅ Windows 11, version 22H2 +--- + +# Microsoft Pluton security processor + +Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. + +Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2. + +## What is Microsoft Pluton? + +Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC. + +Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md). + +Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor – The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/). + +## Microsoft Pluton security architecture overview + + + +Pluton Security subsystem consists of the following layers: + +| | Description | +|--|--| +| **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. | +| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) | +| **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. | + +## Firmware load flow + +When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process: + + + +## Related topics + +[Microsoft Pluton as TPM](pluton-as-tpm.md) diff --git a/windows/security/information-protection/pluton/pluton-as-tpm.md b/windows/security/information-protection/pluton/pluton-as-tpm.md new file mode 100644 index 0000000000..121337c071 --- /dev/null +++ b/windows/security/information-protection/pluton/pluton-as-tpm.md @@ -0,0 +1,50 @@ +--- +title: Microsoft Pluton as Trusted Platform Module (TPM 2.0) +description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0) +ms.reviewer: +ms.prod: m365-security +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz +ms.localizationpriority: medium +ms.collection: + - M365-security-compliance +ms.topic: conceptual +ms.date: 09/15/2022 +appliesto: +- ✅ Windows 11, version 22H2 +--- + +# Microsoft Pluton as Trusted Platform Module + +Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard. + +As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material. + +Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates. + +To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features). + +## Microsoft Pluton as a security processor alongside discrete TPM + +Microsoft Pluton can be used as a TPM, or in conjunction with a TPM. Although Pluton builds security directly into the CPU, device manufacturers may choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM. + +Pluton is integrated within the SoC subsystem, and provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. We encourage users owning devices that are Pluton capable, to enable Microsoft Pluton as the default TPM. + +## Enable Microsoft Pluton as TPM + +Devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device. + +UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM. + +> [!WARNING] +> If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive. +> +> Windows Hello must be re-configured after switching the TPM. Setup alternate login methods before changing the TPM configuration to prevent any login issues. + +> [!TIP] +> On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit. + +## Related topics + +[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 168c3d7608..382528bfa0 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -31,7 +31,7 @@ Application Guard uses both network isolation and application-specific settings. These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container. > [!NOTE] -> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge. +> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode. > [!NOTE] > You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy. @@ -56,15 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| -|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
-|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher
Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 10 Pro, 1803 or higher
Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
-|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
-|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
-|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 10 Pro, 1809 or higher
Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** event logs aren't collected from your Application Guard container.| +|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.
**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.
**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher
Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
**Disabled or not configured.** All user data within Application Guard is reset between sessions.
**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
+|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office
**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.
**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
+|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher
Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.
**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher
Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.
**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher
Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.
**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| +|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher
Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.
**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 92960da468..e02cee6ffc 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,18 +1,15 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
+ms.topic: overview
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
+author: vinaypamnani-msft
+ms.author: vinpa
ms.date: 08/25/2022
-ms.reviewer:
-manager: dansimp
-ms.custom: asr
-ms.technology: windows-sec
+ms.reviewer: sazankha
+manager: aaroncz
---
# System requirements for Microsoft Defender Application Guard
@@ -48,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 Education, Enterprise, and Professional |
+| Operating system | Windows 10 Enterprise edition, version 1809 or later
Windows 10 Professional edition, version 1809 or later
Windows 10 Professional for Workstations edition, version 1809 or later
Windows 10 Professional Education edition, version 1809 or later
Windows 10 Education edition, version 1809 or later
Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge |
| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index d5400d4de7..d8461e69f2 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -1,18 +1,15 @@
---
-title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
+title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
ms.localizationpriority: medium
-author: denisebmsft
-ms.author: deniseb
-ms.reviewer:
-manager: dansimp
-ms.date: 03/14/2022
+author: vinaypamnani-msft
+ms.author: vinpa
+ms.reviewer: sazankha
+manager: aaroncz
+ms.date: 09/23/2022
ms.custom: asr
-ms.technology: windows-sec
---
# Application Guard testing scenarios
@@ -59,7 +56,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
3. Set up the Network Isolation settings in Group Policy:
- a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
+ a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
@@ -75,7 +72,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
-5. Click **Enabled**, choose Option **1**, and click **OK**.
+5. Select **Enabled**, choose Option **1**, and select **OK**.
@@ -110,15 +107,14 @@ You have the option to change each of these settings to work with your enterpris
**Applies to:**
-- Windows 10 Enterprise edition, version 1709 or higher
-- Windows 10 Professional edition, version 1803
-- Windows 11
+- Windows 10 Enterprise or Pro editions, version 1803 or later
+- Windows 11 Enterprise or Pro editions
#### Copy and paste options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
@@ -138,25 +134,25 @@ You have the option to change each of these settings to work with your enterpris
- Both text and images can be copied between the host PC and the isolated container.
-5. Click **OK**.
+5. Select **OK**.
#### Print options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
-4. Click **OK**.
+4. Select **OK**.
#### Data persistence options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
@@ -166,32 +162,33 @@ You have the option to change each of these settings to work with your enterpris
4. Add the site to your **Favorites** list and then close the isolated session.
-5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+5. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
- > If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
+ > Starting with Windows 11, version 22H2, data persistence is disabled by default. If you don't allow or turn off data persistence, restarting a device or signing in and out of the isolated container triggers a recycle event. This action discards all generated data, such as session cookies and Favorites, and removes the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
>
> **To reset the container, follow these steps:**
1. Open a command-line program and navigate to Windows/System32.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
+ >
+ > _Microsoft Edge version 90 or later no longer supports `RESET_PERSISTENCE_LAYER`._
**Applies to:**
-- Windows 10 Enterprise edition, version 1803
-- Windows 10 Professional edition, version 1803
-- Windows 11
+- Windows 10 Enterprise or Pro editions, version 1803
+- Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled by default in Windows 11, version 22H2 and later.
#### Download options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Microsoft Defender Application Guard.
@@ -201,7 +198,7 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and Select **OK**.
@@ -209,21 +206,15 @@ You have the option to change each of these settings to work with your enterpris
4. Assess the visual experience and battery performance.
-**Applies to:**
-
-- Windows 10 Enterprise edition, version 1809
-- Windows 10 Professional edition, version 1809
-- Windows 11
-
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
-2. Click **Enabled** and click **OK**.
+2. Select **Enabled** and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
@@ -233,11 +224,11 @@ You have the option to change each of these settings to work with your enterpris
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
-2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
+2. Select **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and select **OK**.
-3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
## Application Guard Extension for third-party web browsers
@@ -245,9 +236,9 @@ The [Application Guard Extension](md-app-guard-browser-extension.md) available f
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
-1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
+1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
-2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
+2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 3f1a94a7ad..59695ee06d 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -2,8 +2,8 @@
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.prod: m365-security
-author: mjcaparas
-ms.author: macapara
+author: dansimp
+ms.author: dansimp
ms.localizationpriority: high
ms.reviewer:
manager: dansimp
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
new file mode 100644
index 0000000000..6fe565bf48
--- /dev/null
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -0,0 +1,101 @@
+---
+title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
+description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+ms.prod: windows-client
+ms.technology: itpro-security
+author: v-mathavale
+ms.author: v-mathavale
+ms.reviewer: paoloma
+manager: aaroncz
+ms.localizationpriority: medium
+ms.date: 06/21/2022
+adobe-target: true
+appliesto:
+- ✅ Windows 11, version 22H2
+---
+
+# Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+
+Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
+
+- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account.
+
+- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
+
+- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
+
+## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
+
+Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
+
+- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content.
+
+- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them.
+
+- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
+
+- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled.
+
+## Configure Enhanced Phishing Protection for your organization
+
+Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
+
+#### [✅ **GPO**](#tab/gpo)
+
+Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
+
+|Setting|Description|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
+
+| Setting | OMA-URI | Data type |
+|-------------------------|---------------------------------------------------------------------------|-----------|
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
+| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
+| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+
+---
+
+### Recommended settings for your organization
+
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+
+To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
+
+#### [✅ **GPO**](#tab/gpo)
+
+|Group Policy setting|Recommendation|
+|---------|---------|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+
+#### [✅ **CSP**](#tab/csp)
+
+|MDM setting|Recommendation|
+|---------|---------|
+|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
+|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
+|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
+|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+
+---
+
+## Related articles
+
+- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
+- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
+- [Threat protection](../index.md)
+- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index f85611c594..fe15669214 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -49,7 +49,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
- Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
```powershell
- New-CIPolicy -MultiplePolicyFormat -ScanPath
- By far the most impactful security trade-off, this trade-off allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+- **Users with administrative access**
+
+ This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+
+ Possible mitigations:
- Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
-- **Unsigned policies**
- Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
- Possible mitigations:
+- **Unsigned policies**
+
+ Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
+
+ Possible mitigations:
+
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
-- **Managed installer**
- See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
- Possible mitigations:
+- **Managed installer**
+
+ See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
+
+ Possible mitigations:
+
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Limit who can elevate to administrator on the device.
-- **Intelligent Security Graph (ISG)**
- See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
- Possible mitigations:
- - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
+- **Intelligent Security Graph (ISG)**
+
+ See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
+
+ Possible mitigations:
+
+ - Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **Supplemental policies**
- Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
- Possible mitigations:
+- **Supplemental policies**
+
+ Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
+
+ Possible mitigations:
+
- Use signed WDAC policies that allow authorized signed supplemental policies only.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
-- **FilePath rules**
- See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
- Possible mitigations:
+- **FilePath rules**
+
+ See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
+
+ Possible mitigations:
+
- Limit who can elevate to administrator on the device.
- Migrate from filepath rules to managed installer or signature-based rules.
+- **Signed files**
+
+ Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
+
+ Possible mitigations:
+
+ - Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
+
## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 65565ec200..cfea5dc30f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
-ms.reviewer: isbrahm
+ms.reviewer: jgeurten
ms.author: dansimp
manager: dansimp
ms.date: 02/28/2018
@@ -49,7 +49,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
2. Start Package Inspector, and then start scanning a local drive, for example, drive C:
- `PackageInspector.exe Start C:`
+ ```powershell
+ PackageInspector.exe Start C:
+ ```
> [!NOTE]
> Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
@@ -77,13 +79,12 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:.
- `$ExamplePath=$env:userprofile+"\Desktop"`
-
- `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
-
- `$CatDefName=$ExamplePath+"\LOBApp.cdf"`
-
- `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName`
+ ```powershell
+ $ExamplePath=$env:userprofile+"\Desktop"
+ $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"
+ $CatDefName=$ExamplePath+"\LOBApp.cdf"
+ PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName
+ ```
>[!NOTE]
>Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values.
@@ -125,15 +126,18 @@ To sign the existing catalog file, copy each of the following commands into an e
1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed:
- `$ExamplePath=$env:userprofile+"\Desktop"`
-
- `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
+ ```powershell
+ $ExamplePath=$env:userprofile+"\Desktop"
+ $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"
+ ```
2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store.
3. Sign the catalog file with Signtool.exe:
- `
-
-> [!Note]
-> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
+> [!NOTE]
+> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that application’s previous, less secure versions.
-Microsoft recommends that you install the latest security updates. The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
+Microsoft recommends that you install the latest security updates. For example, updates help resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. These modules can't be blocked by name or version, and therefore must be blocked by their corresponding hashes.
-For October 2017, we're announcing an update to system.management.automation.dll in which we're revoking older versions by hash values, instead of version rules.
+As of October 2017, system.management.automation.dll is updated to revoke earlier versions by hash values, instead of version rules.
-Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. Beginning with the March 2019 quality update, each version of Windows requires blocking a specific version of the following files:
+Microsoft recommends that you block the following Microsoft-signed applications and PowerShell files by merging the following policy into your existing policy to add these deny rules using the Merge-CIPolicy cmdlet. As of March 2019, each version of Windows requires blocking a specific version of the following files:
- msxml3.dll
- msxml6.dll
@@ -119,10 +113,14 @@ Microsoft recommends that you block the following Microsoft-signed applications
Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
+
+
+
+
+> [!NOTE]
> To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
## More information
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index 7c16581109..6382926723 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -1,6 +1,6 @@
---
title: Microsoft recommended driver block rules (Windows)
-description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
+description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
keywords: security, malware, kernel mode, driver
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -20,44 +20,64 @@ manager: dansimp
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
-
-- Hypervisor-protected code integrity (HVCI) enabled devices
-- Windows 10 in S mode (S mode) devices
-
-The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
-Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
+](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
+
+## Microsoft vulnerable driver blocklist
+
+
+
+Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met:
+
+| Condition | Windows 10 or 11 | Windows 11 22H2 or later |
+|--|:--:|:--:|
+| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: |
+| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: |
+| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: |
+| Clean install of Windows | :x: | :heavy_check_mark: |
+
+> [!NOTE]
+> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist.
+
+## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
+> [!IMPORTANT]
+> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
+
+Expand this section to see the WDAC policy XML
+
```xml
-> [!Note]
+
+
+
+
+> [!NOTE]
+> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
## More information
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index e1f7559c0d..45ffe31061 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -10,11 +10,11 @@ ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
-author: dansimp
-ms.reviewer: isbrahm
+author: jgeurten
+ms.reviewer: jsuther1974
ms.author: dansimp
manager: dansimp
-ms.date: 06/28/2022
+ms.date: 08/29/2022
ms.technology: windows-sec
---
@@ -22,9 +22,9 @@ ms.technology: windows-sec
**Applies to:**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).Expand this section to see the blocklist WDAC policy XML
+
```xml
+
NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
-| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
+| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.
NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.
NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
@@ -88,12 +88,12 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
-| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
+| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
@@ -105,9 +105,17 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
+>
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
+> [!NOTE]
+> When applicable, minimum and maximum version numbers in a file rule are referenced as MinimumFileVersion and MaximumFileVersion respectively in the policy XML.
+>
+> - Both MinimumFileVersion and MaximumFileVersion specified: For Allow rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are allowed. For Deny rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are denied.
+> - MinimumFileVersion specified without MaximumFileVersion: For Allow rules, file with version **greater than or equal** to the specified version are allowed to run. For Deny rules, file with version **less than or equal** to the specified version are blocked.
+> - MaximumFileVersion specified without MinimumFileVersion: For Allow rules, file with version **less than or equal** to the specified version are allowed to run. For Deny rules, file with version **greater than or equal** to the specified version are blocked.
+
## Example of file rule levels in use
For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
@@ -120,6 +128,9 @@ As part of normal operations, they'll eventually install software updates, or pe
Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these sets exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
+> [!NOTE]
+> For others to better understand the WDAC policies that have been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+
## More information about filepath rules
Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
@@ -139,27 +150,27 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
You can also use the following macros when the exact volume may vary: `%OSDRIVE%`, `%WINDIR%`, `%SYSTEM32%`.
> [!NOTE]
-> For others to better understand the WDAC policies that has been deployed, we recommend maintaining separate ALLOW and DENY policies on Windows 10, version 1903 and later.
+> When authoring WDAC policies with Microsoft Endpoint Configuration Manager (MEMCM), you can instruct MEMCM to create rules for specified files and folders. These rules **aren't** WDAC filepath rules. Rather, MEMCM performs a one-time scan of the specified files and folders and builds rules for any binaries found in those locations at the time of that scan. File changes to those specified files and folders after that scan won't be allowed unless the MEMCM policy is reapplied.
> [!NOTE]
> There is currently a bug where MSIs cannot be allow listed in file path rules. MSIs must be allow listed using other rule types, for example, publisher rules or file attribute rules.
## More information about hashes
-WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
-The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
+The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
-In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn’t result in a different hash than what was in the policy being used by CI.
+In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn't result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
-Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can’t always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
+Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can't always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules
diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
index c731e404ee..2f9f3c81b4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@@ -1,21 +1,15 @@
---
title: Understanding Windows Defender Application Control (WDAC) secure settings
description: Learn about secure settings in Windows Defender Application Control.
-keywords: security, malware
-ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
ms.localizationpriority: medium
-audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
-ms.reviewer: jgeurten
-ms.author: dansimp
-manager: dansimp
+ms.reviewer: vinpa
+ms.author: jogeurte
+manager: aaroncz
ms.date: 10/11/2021
-ms.technology: mde
+ms.technology: itpro-security
---
# Understanding WDAC Policy Settings
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
index 0adc4cb74e..e430a2a554 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md
@@ -30,31 +30,33 @@ ms.technology: windows-sec
Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy.
-Beginning with Windows 10, version 1709, you can set an option to automatically allow applications that the Microsoft Intelligent Security Graph recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the Microsoft Intelligent Security Graph, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services).
+To reduce end-user friction and helpdesk calls, you can set Windows Defender Application Control (WDAC) to automatically allow applications that Microsoft's Intelligent Security Graph (ISG) recognizes as having known good reputation. The ISG option helps organizations begin to implement application control even when the organization has limited control over their app ecosystem. To learn more about the ISG, see the Security section in [Major services and features in Microsoft Graph](/graph/overview-major-services).
-## How does the integration between WDAC and the Intelligent Security Graph work?
+> [!WARNING]
+> Binaries that are critical to boot the system must be allowed using explicit rules in your WDAC policy. Do not rely on the ISG to authorize these files.
+>
+> The ISG option is not the recommended way to allow apps that are business critical. You should always authorize business critical apps using explicit allow rules or by installing them with a [managed installer](/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer).
-The ISG uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good," "known bad," or "unknown" reputation. When a binary runs on a system, with Windows Defender Application Control (WDAC) enabled with the ISG option, WDAC checks the file's reputation, by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) is written to the file.
+## How does WDAC work with the ISG?
-If your WDAC policy doesn't have an explicit rule to allow or deny a binary to run, then WDAC will make a call to the cloud to determine whether the binary is familiar and safe. However, if your policy already authorizes or denies the binary, then WDAC won't make a call to the cloud.
+The ISG isn't a "list" of apps. Rather, it uses the same vast security intelligence and machine learning analytics that power Microsoft Defender SmartScreen and Microsoft Defender Antivirus to help classify applications as having "known good", "known bad", or "unknown" reputation. This cloud-based AI is based on trillions of signals collected from Windows endpoints and other data sources, and processed every 24 hours. As a result, the decision from the cloud can change.
-If the file with good reputation is an application installer, its reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer.
+WDAC only checks the ISG for binaries that aren't explicitly allowed or denied by your policy, and that weren't installed by a managed installer. When such a binary runs on a system with WDAC enabled with the ISG option, WDAC will check the file's reputation by sending its hash and signing information to the cloud. If the ISG reports that the file has a "known good" reputation, then the file will be allowed to run. Otherwise, it will be blocked by WDAC.
-WDAC periodically re-queries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
+If the file with good reputation is an application installer, the installer's reputation will pass along to any files that it writes to disk. This way, all the files needed to install and run an app inherit the positive reputation data from the installer. Files authorized based on the installer's reputation will have the $KERNEL.SMARTLOCKER.ORIGINCLAIM kernel Extended Attribute (EA) written to the file.
->[!NOTE]
->Admins should make sure there is a Windows Defender Application Control policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, such as custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both Microsoft Endpoint Configuration Manager and Microsoft Endpoint Manager Intune can be used to create and push a WDAC policy to your client machines.
+WDAC periodically requeries the reputation data on a file. Additionally, enterprises can specify that any cached reputation results are flushed on reboot by using the **Enabled:Invalidate EAs on Reboot** option.
-## Configuring Intelligent Security Graph authorization for Windows Defender Application Control
+## Configuring ISG authorization for your WDAC policy
-Setting up the ISG is easy using any management solution you wish. Configuring the Microsoft Intelligent Security Graph option involves these basic steps:
+Setting up the ISG is easy using any management solution you wish. Configuring the ISG option involves these basic steps:
-- [Ensure that the Microsoft Intelligent Security Graph option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml)
-- [Enable the necessary services to allow WDAC to use the Microsoft Intelligent Security Graph correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
+- [Ensure that the **Enabled:Intelligent Security Graph authorization** option is set in the WDAC policy XML](#ensure-that-the-isg-option-is-set-in-the-wdac-policy-xml)
+- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client)
-### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML
+### Ensure that the ISG option is set in the WDAC policy XML
-To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the Windows Defender Application Control policy. This step can be done with the Set-RuleOption cmdlet. You should also enable the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options being set.
+To allow apps and binaries based on the Microsoft Intelligent Security Graph, the **Enabled:Intelligent Security Graph authorization** option must be specified in the WDAC policy. This step can be done with the Set-RuleOption cmdlet. You should also set the **Enabled:Invalidate EAs on Reboot** option so that ISG results are verified again after each reboot. The ISG option isn't recommended for devices that don't have regular access to the internet. The following example shows both options set.
```xml
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
+|AUX Policy|The required AUX policy must be as follows:
|
+|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
+|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
+|For AMD® processors starting with Zen2 or later silicon|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
+|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
+|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
Platform must have AMD® Memory Guard enabled.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
+|For Qualcomm® processors with SD850 or later chipsets|Description|
+|--------|-----------|
+|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
+|Monitor Mode Page Tables|All Monitor Mode page tables must:
|
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|Platform firmware|Platform firmware must carry all code required to launch.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 5c9e29a065..e3cc007d51 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -72,43 +72,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
> [!NOTE]
-> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
-
-## System requirements for System Guard
-
-|For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs aren't supported, except Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.|
-|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM AUX Index|Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256)
Platforms must set up a PS (Platform Supplier) index with:
PS index data DataRevocationCounters, SINITMinVersion, and PolicyControl must all be 0x00 |
-|AUX Policy|The required AUX policy must be as follows:
|
-|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
-|Platform firmware|Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-
-|For AMD® processors starting with Zen2 or later silicon|Description|
-|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
-|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
-|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
-|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
-|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
Platform must have AMD® Memory Guard enabled.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
-
-|For Qualcomm® processors with SD850 or later chipsets|Description|
-|--------|-----------|
-|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
-|Monitor Mode Page Tables|All Monitor Mode page tables must:
|
-|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
-|Platform firmware|Platform firmware must carry all code required to launch.|
-|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [System Guard](../windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md), [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
> [!NOTE]
> For more information around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/).
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index e42fab8ddb..5325926107 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -28,13 +28,8 @@ Windows Sandbox has the following properties:
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
- > [!IMPORTANT]
- > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
-
-The following video provides an overview of Windows Sandbox.
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
-
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
## Prerequisites
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 5e0c376121..8963229d82 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
-| Windows 11 | [Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772)
| October 2021
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 1a2434ffeb..92875c810d 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -25,14 +25,15 @@ The SCT enables administrators to effectively manage their enterprise’s Group
The Security Compliance Toolkit consists of:
- Windows 11 security baseline
-
+ - Windows 11, version 22H2
+ - Windows 11, version 21H2
- Windows 10 security baselines
- - Windows 10 Version 21H2
- - Windows 10 Version 21H1
- - Windows 10 Version 20H2
- - Windows 10 Version 1809
- - Windows 10 Version 1607
- - Windows 10 Version 1507
+ - Windows 10, version 21H2
+ - Windows 10, version 21H1
+ - Windows 10, version 20H2
+ - Windows 10, version 1809
+ - Windows 10, version 1607
+ - Windows 10, version 1507
- Windows Server security baselines
- Windows Server 2022
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
deleted file mode 100644
index 5f30884997..0000000000
--- a/windows/threat-protection/docfx.json
+++ /dev/null
@@ -1,62 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg",
- "**/*.gif"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
- "ms.technology": "windows",
- "ms.topic": "article",
- "audience": "ITPro",
- "ms.date": "04/05/2017",
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.win-threat-protection",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "win-threat-protection",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
deleted file mode 100644
index d577905730..0000000000
--- a/windows/update/docfx.json
+++ /dev/null
@@ -1,56 +0,0 @@
-{
- "build": {
- "content": [
- {
- "files": [
- "**/*.md",
- "**/*.yml"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**",
- "README.md",
- "LICENSE",
- "LICENSE-CODE",
- "ThirdPartyNotices"
- ]
- }
- ],
- "resource": [
- {
- "files": [
- "**/*.png",
- "**/*.jpg"
- ],
- "exclude": [
- "**/obj/**",
- "**/includes/**"
- ]
- }
- ],
- "overwrite": [],
- "externalReference": [],
- "globalMetadata": {
- "recommendations": true,
- "_op_documentIdPathDepotMapping": {
- "./": {
- "depot_name": "MSDN.windows-update",
- "folder_relative_path_in_docset": "./"
- }
- },
- "contributors_to_exclude": [
- "rjagiewich",
- "traya1",
- "rmca14",
- "claydetels19",
- "jborsecnik",
- "tiburd",
- "garycentric"
- ]
- },
- "fileMetadata": {},
- "template": [],
- "dest": "windows-update",
- "markdownEngineName": "markdig"
- }
-}
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index dc42004f13..6a59ce9b38 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -11,6 +11,8 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
+ - name: What's new in Windows 11, version 22H2
+ href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
items:
diff --git a/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png b/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png
new file mode 100644
index 0000000000..a68a8d0888
Binary files /dev/null and b/windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png differ
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index d71d316113..f915846669 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -362,7 +362,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
### Privacy
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 159845ee44..1067c47c88 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -155,7 +155,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
### Accessibility
-"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
+"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
### Privacy
diff --git a/windows/whats-new/whats-new-windows-11-version-22H2.md b/windows/whats-new/whats-new-windows-11-version-22H2.md
new file mode 100644
index 0000000000..0af8ec6113
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-11-version-22H2.md
@@ -0,0 +1,120 @@
+---
+title: What's new in Windows 11, version 22H2 for IT pros
+description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+manager: dougeby
+ms.prod: w10
+ms.author: mstewart
+author: mestew
+ms.localizationpriority: medium
+ms.topic: article
+ms.collection: highpri
+ms.custom: intro-overview
+---
+
+# What's new in Windows 11, version 22H2
+
+**Applies to**: Windows 11, version 22H2
+
+Windows 11, version 22H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version. This article lists the new and updated features IT Pros should know.
+
+Windows 11, version 22H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
+
+- **Windows 11 Pro**: Serviced for 24 months from the release date.
+- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
+
+Windows 11, version 22H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 22H2 update](https://aka.ms/W11/how-to-get-22H2). Review the [Windows 11, version 22H2 Windows IT Pro blog post](https://aka.ms/new-in-22H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
+
+
+To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Microsoft Pluton
+
+Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
+
+For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor).
+
+## Enhanced Phishing Protection
+
+**Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** helps protect Microsoft school or work passwords against phishing and unsafe usage on websites and in applications. Enhanced Phishing Protection works alongside Windows security protections to help protect Windows 11 work or school sign-in passwords.
+
+For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog.
+
+## Smart App Control
+
+**Smart App Control** adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. **Smart App Control** also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
+
+For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control).
+
+## Credential Guard
+
+Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
+
+For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
+
+## Malicious and vulnerable driver blocking
+
+The vulnerable driver blocklist is automatically enabled on devices for the following two new conditions:
+- When Smart App Control is enabled
+- For clean installs of Windows
+
+For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).
+
+## Security hardening and threat protection
+
+Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
+
+For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json).
+
+## Personal Data Encryption
+
+Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
+
+PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
+
+For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
+
+## WebAuthn APIs support ECC
+
+Elliptic-curve cryptography (ECC) is now supported by WebAuthn APIs for Windows 11, version 22H2 clients.
+
+For more information, see [WebAuthn APIs for passwordless authentication on Windows](/windows/security/identity-protection/hello-for-business/webauthn-apis).
+
+## Stickers for Windows 11 SE, version 22H2
+
+Starting in Windows 11 SE, version 22H2, **Stickers** is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
+
+For more information, see [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers).
+
+## Education themes
+
+Starting in Windows 11, version 22H2, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings. Students can choose their own themes, making it feel the device is their own.
+
+For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
+
+## Windows Update notifications
+
+
+The following items were added for Windows Update notifications:
+
+- You can now block user notifications for Windows Updates during active hours. This setting is especially useful for educational organizations that want to prevent Windows Update notifications from occurring during class time. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).
+
+- The organization name now appears in the Windows Update notifications when Windows clients are associated with an Azure Active Directory tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name).
+
+## Start menu layout
+
+Windows 11, version 22H2 now supports additional CSPs for customizing the start menu layout. These CSPs allow you to hide the app list and disable context menus.
+
+For more information, see [Supported configuration service provider (CSP) policies for Windows 11 Start menu](/windows/configuration/supported-csp-start-menu-layout-windows#existing-windows-csp-policies-that-windows-11-supports).
+
+## Improvements to task manager
+
+- A new command bar was added to each page to give access to common actions
+- Task Manager will automatically match the system wide theme configured in **Windows Settings**
+- Added an efficiency mode that allows you to limit the resource usage of a process
+- Updated the user experience for Task Manager
+
+## Windows accessibility
+
+Windows 11, version 22H2, includes additional improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
+
+For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros).
diff --git a/windows/whats-new/windows-11-overview.md b/windows/whats-new/windows-11-overview.md
index ec5cd6f23f..19c319c011 100644
--- a/windows/whats-new/windows-11-overview.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -2,12 +2,14 @@
title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
-manager: dougeby
-author: aczechowski
-ms.author: aaroncz
-ms.prod: w10
+manager: aaroncz
+author: mestew
+ms.author: mstewart
+ms.prod: windows-client
+ms.date: 09/20/2022
+ms.technology: itpro-fundamentals
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: overview
ms.collection: highpri
ms.custom: intro-overview
---
@@ -100,6 +102,12 @@ For more information on the security features you can configure, manage, and enf
You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
+ Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch.
+
+ :::image type="content" source="images/windows-11-whats-new/windows-11-22h2-snap-layouts.png" alt-text="In Windows 11, version 22H2, activate snap layouts by dragging a window to the top of the screen.":::
+
+ For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
+
- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11).
diff --git a/windows/whats-new/windows-11-plan.md b/windows/whats-new/windows-11-plan.md
index 6b9654ecf4..2c6b25ecff 100644
--- a/windows/whats-new/windows-11-plan.md
+++ b/windows/whats-new/windows-11-plan.md
@@ -114,4 +114,4 @@ You might already be using App Assure and Test Base in your Windows 10 environme
## Also see
-[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/learn/modules/windows-plan/)
+[Plan to deploy updates for Windows 10 and Microsoft 365 Apps](/training/modules/windows-plan/)
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 84525fe130..7967b76c83 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -103,29 +103,31 @@ If you use Microsoft Endpoint Manager and have onboarded devices to Endpoint ana
## Prepare a pilot deployment
-A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.
+A pilot deployment is a proof of concept that rolls out an upgrade to a select number of devices in production, before deploying it broadly across the organization.
-At a high level, the tasks involved are:
+At a high level, the tasks involved are:
-1. Assign a group of users or devices to receive the upgrade.
-2. Implement baseline updates.
-3. Implement operational updates.
-4. Validate the deployment process.
-5. Deploy the upgrade to devices.
-6. Test and support the pilot devices.
-7. Determine broad deployment readiness based on the results of the pilot.
+1. Assign a group of users or devices to receive the upgrade.
+2. Implement baseline updates.
+3. Implement operational updates.
+4. Validate the deployment process.
+5. Deploy the upgrade to devices.
+6. Test and support the pilot devices.
+7. Determine broad deployment readiness based on the results of the pilot.
## User readiness
-Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
-- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
-- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
-- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
+Don't overlook the importance of user readiness to deliver an effective, enterprise-wide deployment of Windows 11. Windows 11 has a familiar design, but your users will see several enhancements to the overall user interface. They'll also need to adapt to changes in menus and settings pages. Therefore, consider the following tasks to prepare users and your IT support staff Windows 11:
+
+- Create a communications schedule to ensure that you provide the right message at the right time to the right groups of users, based on when they'll see the changes.
+- Draft concise emails that inform users of what changes they can expect to see. Offer tips on how to use or customize their experience. Include information about support and help desk options.
+- Update help desk manuals with screenshots of the new user interface, the out-of-box experience for new devices, and the upgrade experience for existing devices.
## Learn more
-See the [Stay current with Windows 10 and Microsoft 365 Apps](/learn/paths/m365-stay-current/) learning path on Microsoft Learn.
-- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.
+See the [Stay current with Windows 10 and Microsoft 365 Apps](/training/paths/m365-stay-current/) learning path.
+
+- The learning path was created for Windows 10, but the basic principles and tasks outlined for the plan, prepare, and deploy phases also apply to your deployment of Windows 11.
## See also