From ee9af1d5d48cbf3c3841375295035c661a4d3a88 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 19 Oct 2022 11:53:08 -0700 Subject: [PATCH 01/29] Update to data center locations. --- .../windows-autopatch/references/windows-autopatch-privacy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index a1ada94b72..723aa9a96b 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 05/30/2022 +ms.date: 10/19/2022 ms.prod: w11 ms.technology: windows ms.topic: reference @@ -40,7 +40,7 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali ## Windows Autopatch data storage and staff location -Windows Autopatch stores its data in the Azure data centers in the United States. +Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). From 7f1f710a7427f363999f4c61566d3f67643c4a98 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Mon, 31 Oct 2022 14:39:17 -0700 Subject: [PATCH 02/29] Update windows-autopatch-privacy.md Updated data center info as per Harman. --- .../references/windows-autopatch-privacy.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index f98208171e..020de9be1a 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -42,7 +42,10 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). -Personal data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep personal data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). +> [!IMPORTANT] +> + +Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). Windows Autopatch Service Engineering Team is in the United States, India and Romania. @@ -54,9 +57,9 @@ The enhanced diagnostic data setting includes more detailed information about th The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection). -Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' personal data such as chat and browser history, voice, text, or speech data. +Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data. -For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. +For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement. ## Tenant access @@ -107,11 +110,11 @@ Changes to the types of data gathered and where it's stored are considered a mat ## Data subject requests -Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their personal data. +Windows Autopatch follows General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) privacy regulations, which give data subjects specific rights to their data. These rights include: -- Obtaining copies of personal data +- Obtaining copies of data - Requesting corrections to it - Restricting the processing of it - Deleting it @@ -123,7 +126,7 @@ To exercise data subject requests on data collected by the Windows Autopatch cas | Data subject requests | Description | | ------ | ------ | -| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of personal data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin).

Provide the following information: | +| Data from Windows Autopatch support requests | Your IT administrator can request deletion, or extraction of data related support requests by submitting a report request at the [admin center](https://aka.ms/memadmin).

Provide the following information: | For DSRs from other products related to the service, see the following articles: From 35bebf14f40312d3201f233f896d26ef7ad7132f Mon Sep 17 00:00:00 2001 From: Daniel Vazome Date: Mon, 7 Nov 2022 19:59:31 +0200 Subject: [PATCH 03/29] Added missing explanation of the "container" term to hello-faq.yml on the base of retired hello-how-it-works.md. --- .../hello-for-business/hello-faq.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 91cd2ed308..3a044684d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -63,7 +63,17 @@ sections: answer: | When using Windows Hello for Business, the PIN isn't a symmetric key, whereas the password is a symmetric key. With passwords, there's a server that has some representation of the password. With Windows Hello for Business, the PIN is user-provided entropy used to load the private key in the Trusted Platform Module (TPM). The server doesn't have a copy of the PIN. For that matter, the Windows client doesn't have a copy of the current PIN either. The user must provide the entropy, the TPM-protected key, and the TPM that generated that key in order to successfully access the private key. The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It's about the difference between providing entropy versus continuing the use of a symmetric key (the password). The TPM has anti-hammering features that thwart brute-force PIN attacks (an attacker's continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increase the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature. - + + - question: What's a container? + answer: | + In the context of Windows Hello for Business it is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. + It's important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. + The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. [Each logical container holds one or more sets of keys.](./images/passport-fig3-logicalcontainer.png) + + - question: How to delete Windows Hello for Business container on a device? + answer: | + You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account. Reboot is required. + - question: How does Windows Hello for Business work with Azure AD registered devices? answer: | A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using their exiting gestures. From 4e5db7c46371774ddd85ee909e840f6391eeacab Mon Sep 17 00:00:00 2001 From: Daniel Vazome <46573198+vazome@users.noreply.github.com> Date: Tue, 8 Nov 2022 11:44:56 +0300 Subject: [PATCH 04/29] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3a044684d8..7203802fbf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -72,7 +72,7 @@ sections: - question: How to delete Windows Hello for Business container on a device? answer: | - You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account. Reboot is required. + You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device. - question: How does Windows Hello for Business work with Azure AD registered devices? answer: | From 2f78d0113e7bba510fd4c1d0b87af39327261530 Mon Sep 17 00:00:00 2001 From: Daniel Vazome <46573198+vazome@users.noreply.github.com> Date: Tue, 8 Nov 2022 11:45:02 +0300 Subject: [PATCH 05/29] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 7203802fbf..4e3090ec6c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -66,7 +66,7 @@ sections: - question: What's a container? answer: | - In the context of Windows Hello for Business it is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. + In the context of Windows Hello for Business, it is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. It's important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. [Each logical container holds one or more sets of keys.](./images/passport-fig3-logicalcontainer.png) From 89a4d90325092f0def9b023569a6dc80daf80286 Mon Sep 17 00:00:00 2001 From: Daniel Vazome <46573198+vazome@users.noreply.github.com> Date: Tue, 8 Nov 2022 11:45:13 +0300 Subject: [PATCH 06/29] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 4e3090ec6c..01e86a2060 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -70,7 +70,7 @@ sections: It's important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. [Each logical container holds one or more sets of keys.](./images/passport-fig3-logicalcontainer.png) - - question: How to delete Windows Hello for Business container on a device? + - question: How do I delete a Windows Hello for Business container on a device? answer: | You can effectively disable Windows Hello for Business by launching `certutil.exe -deleteHelloContainer` on the end device under a user account, and then restarting the device. From 285909f0b4356568221741fc34324835e7c3e4da Mon Sep 17 00:00:00 2001 From: Daniel Vazome <46573198+vazome@users.noreply.github.com> Date: Tue, 8 Nov 2022 11:46:11 +0300 Subject: [PATCH 07/29] Update windows/security/identity-protection/hello-for-business/hello-faq.yml Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 01e86a2060..2838d6030d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -67,7 +67,7 @@ sections: - question: What's a container? answer: | In the context of Windows Hello for Business, it is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. - It's important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. + It's important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials of Windows Hello stores are protected without the creation of actual containers or folders. The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. [Each logical container holds one or more sets of keys.](./images/passport-fig3-logicalcontainer.png) - question: How do I delete a Windows Hello for Business container on a device? From 9dacda0af4aa1017b70097efb7aedc1f3ccf0b98 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Tue, 8 Nov 2022 20:06:42 -0800 Subject: [PATCH 08/29] Update windows-autopatch-privacy.md Updated as per Harman. --- .../windows-autopatch/references/windows-autopatch-privacy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index 7d0ed1720d..deb50e8a52 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -1,7 +1,7 @@ --- title: Privacy description: This article provides details about the data platform and privacy compliance for Autopatch -ms.date: 11/01/2022 +ms.date: 11/08/2022 ms.prod: w11 ms.technology: windows ms.topic: reference @@ -43,7 +43,7 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). > [!IMPORTANT] -> +> Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). From ce71f576613c706ecacd95c78c8d530144d6394e Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Wed, 9 Nov 2022 10:48:47 -0800 Subject: [PATCH 09/29] Fixed bolding issue. --- .../windows-autopatch/references/windows-autopatch-privacy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md index deb50e8a52..4850fddac3 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md @@ -43,7 +43,7 @@ Processor duties of Windows Autopatch include ensuring appropriate confidentiali Windows Autopatch stores its data in the Azure data centers based on your data residency. For more information, see [Microsoft 365 data center locations](/microsoft-365/enterprise/o365-data-locations). > [!IMPORTANT] ->
  • As of November 8, 2022, only **new** Windows Autopatch customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.
  • Existing European Union (EU) Windows Autopatch customers will move from the North American data centers to the European data centers by the end of 2022.
  • If you're an existing Windows Autopatch customer, but **not** part of the European Union, data migration from North America to your respective data residency will occur next year.
+>
  • As of November 8, 2022, only new Windows Autopatch customers (EU, UK, Africa, Middle East) will have their data live in the European data centers.
  • Existing European Union (EU) Windows Autopatch customers will move from the North American data centers to the European data centers by the end of 2022.
  • If you're an existing Windows Autopatch customer, but not part of the European Union, data migration from North America to your respective data residency will occur next year.
Data obtained by Windows Autopatch and other services are required to keep the service operational. If a device is removed from Windows Autopatch, we keep data for a maximum of 30 days. For more information on data retention, see [Data retention, deletion, and destruction in Microsoft 365](/compliance/assurance/assurance-data-retention-deletion-and-destruction-overview). From 09021084a099c991c7197b821b84143fdf3f73db Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 9 Nov 2022 14:57:04 -0500 Subject: [PATCH 10/29] Updates to Windows firewall docs --- windows/client-management/mdm/firewall-csp.md | 2 - .../best-practices-configuring.md | 88 ++++++------------- 2 files changed, 29 insertions(+), 61 deletions(-) diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index f048be039c..ae2d0aca3b 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -25,8 +25,6 @@ The table below shows the applicability of Windows: The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. -The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709. - Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively. For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac). diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md index 7ed3e77df2..eeb43f2414 100644 --- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -3,6 +3,7 @@ title: Best practices for configuring Windows Defender Firewall description: Learn about best practices for configuring Windows Defender Firewall keywords: firewall, best practices, security, network security, network, rules, filters, ms.prod: windows-client +ms.date: 11/09/2022 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -17,22 +18,12 @@ ms.collection: ms.topic: article ms.technology: itpro-security appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows Server 2016 - - ✅ Windows Server 2019 - - ✅ Windows Server 2022 + - ✅ Windows 10 and later + - ✅ Windows Server 2016 and later --- # Best practices for configuring Windows Defender Firewall -**Applies to** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - - Windows Defender Firewall with Advanced Security provides host-based, two-way network traffic filtering and blocks unauthorized network traffic flowing into or out of the local device. Configuring your Windows Firewall based on the @@ -40,8 +31,8 @@ following best practices can help you optimize protection for devices in your network. These recommendations cover a wide range of deployments including home networks and enterprise desktop/server systems. -To open Windows Firewall, go to the **Start** menu, select **Run**, -type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md). +To open Windows Firewall, go to the **Start** menu, select **Run**, +type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./open-windows-firewall-with-advanced-security.md). ## Keep default settings @@ -51,18 +42,14 @@ When you open the Windows Defender Firewall for the first time, you can see the *Figure 1: Windows Defender Firewall* -1. **Domain profile**: Used for networks where there's a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC - -2. **Private profile**: Designed for and best used - in private networks such as a home network - -3. **Public profile**: Designed with higher security in mind - for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores +1. **Domain profile**: Used for networks where there's a system of account authentication against an Active Directory domain controller +1. **Private profile**: Designed for and best used in private networks such as a home network +1. **Public profile**: Designed with higher security in mind for public networks, like Wi-Fi hotspots, coffee shops, airports, hotels, or stores View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**. Maintain the default settings in Windows Defender -Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. +Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. ![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png) @@ -84,27 +71,20 @@ This rule-adding task can be accomplished by right-clicking either **Inbound Rul *Figure 3: Rule Creation Wizard* > [!NOTE] ->This article does not cover step-by-step rule -configuration. See the [Windows Firewall with Advanced Security Deployment -Guide](./windows-firewall-with-advanced-security-deployment-guide.md) -for general guidance on policy creation. +>This article does not cover step-by-step rule configuration. See the [Windows Firewall with Advanced Security Deployment Guide](./windows-firewall-with-advanced-security-deployment-guide.md) for general guidance on policy creation. -In many cases, allowing specific types of inbound traffic will be required for -applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when -allowing these inbound exceptions. +In many cases, allowing specific types of inbound traffic will be required for applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when allowing these inbound exceptions. -1. Explicitly defined allow rules will take precedence over the default block setting. - -2. Explicit block rules will take precedence over any conflicting allow rules. - -3. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) +1. Explicitly defined allow rules will take precedence over the default block setting. +1. Explicit block rules will take precedence over any conflicting allow rules. +1. More specific rules will take precedence over less specific rules, except if there are explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 include an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) Because of 1 and 2, it's important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This approach avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. -> [!NOTE] -> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. +> [!NOTE] +> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. ## Create rules for new applications before first launch @@ -123,7 +103,6 @@ In either of the scenarios above, once these rules are added they must be delete > [!NOTE] > The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. - ### Known issues with automatic rule creation When designing a set of firewall policies for your network, it's a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. @@ -132,11 +111,9 @@ The absence of these staged rules doesn't necessarily mean that in the end an ap To determine why some applications are blocked from communicating in the network, check for the following instances: -1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. - -2. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. - -3. Local Policy Merge is disabled, preventing the application or network service from creating local rules. +1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. +1. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. +1. Local Policy Merge is disabled, preventing the application or network service from creating local rules. Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy. @@ -150,9 +127,9 @@ See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbou Firewall rules can be deployed: -1. Locally using the Firewall snap-in (**WF.msc**) -2. Locally using PowerShell -3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join) +1. Locally using the Firewall snap-in (**WF.msc**) +1. Locally using PowerShell +1. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join) Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. @@ -163,8 +140,7 @@ The rule-merging settings either allow or prevent local administrators from crea *Figure 5: Rule merging setting* > [!TIP] -> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the -equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. +> In the firewall [configuration service provider](/windows/client-management/mdm/firewall-csp), the equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity. @@ -173,15 +149,12 @@ Management (MDM), or both (for hybrid or co-management environments). [Firewall CSP](/windows/client-management/mdm/firewall-csp) and [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging. -As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. +As a best practice, it's important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes. - - > [!NOTE] -> The use of wildcard patterns, such as *C:\*\\teams.exe* is not -supported in application rules. We currently only support rules created using the full path to the application(s). +> The use of wildcard patterns, such as *C:\*\\teams.exe* is not supported in application rules. We currently only support rules created using the full path to the application(s). ## Know how to use "shields up" mode for active attacks @@ -208,15 +181,12 @@ Once the emergency is over, uncheck the setting to restore regular network traff What follows are a few general guidelines for configuring outbound rules. -- The default configuration of Blocked for Outbound rules can be - considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default. - -- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use. - -- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments). +- The default configuration of Blocked for Outbound rules can be considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default +- It's recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use +- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments) For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](./checklist-creating-outbound-firewall-rules.md). ## Document your changes -When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. +When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. From dcab3d676de6b995ef3c5b90954982aa17178c32 Mon Sep 17 00:00:00 2001 From: vazome Date: Wed, 9 Nov 2022 22:58:53 +0200 Subject: [PATCH 11/29] Changes suggested by @paolomatarazzo --- .../identity-protection/hello-for-business/hello-faq.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3a044684d8..34cf6b5d48 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -66,9 +66,10 @@ sections: - question: What's a container? answer: | - In the context of Windows Hello for Business it is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. - It's important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders. - The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. [Each logical container holds one or more sets of keys.](./images/passport-fig3-logicalcontainer.png) + In the context of Windows Hello for Business, it's shorthand for a logical grouping of key material or data. Windows Hello uses a single container that holds user key material for personal accounts, including key material associated with the user's Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. + The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. + Note that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials of Windows Hello stores, are protected without the creation of actual containers or folders. + The container contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container. [Each logical container holds one or more sets of keys.](./images/passport-fig3-logicalcontainer.png) - question: How to delete Windows Hello for Business container on a device? answer: | From d7788cc6e5996d91f88063c8f3a09d7cefb89eda Mon Sep 17 00:00:00 2001 From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com> Date: Wed, 9 Nov 2022 14:06:52 -0800 Subject: [PATCH 12/29] Update windows-11-se-overview.md --- education/windows/windows-11-se-overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 1dcaf9dc8b..532654b733 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -130,6 +130,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | Safe Exam Browser | 3.3.2.413 | Win32 | Safe Exam Browser | | Senso.Cloud | 2021.11.15.0 | Win32 | Senso.Cloud | | SuperNova Magnifier & Screen Reader | 21.02 | Win32 | Dolphin Computer Access | +| SuperNova Magnifier & Speech | 21.02 | Win32 | Dolphin Computer Access | | Zoom | 5.9.1 (2581) | Win32 | Zoom | | ZoomText Fusion | 2022.2109.10 | Win32 | Freedom Scientific | | ZoomText Magnifier/Reader | 2022.2109.25 | Win32 | Freedom Scientific | From fa8162338e372f88cf287dd459419a0bf0b2a48a Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Wed, 9 Nov 2022 15:32:18 -0700 Subject: [PATCH 13/29] Update hello-faq.yml Check lines 261-266 for oddities in table formatting. Change small thing to see if issue cited in Acrolinx goes away. https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/738aad2e-d402-42b2-bef4-4fa67b102cc4#CORRECTNESS --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index f223c32852..751ec8d3bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -259,7 +259,7 @@ sections: Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.

| Protocol | Description | - | :---: | :--- | + | :--- | :--- | | [[MS-KPP]: Key Provisioning Protocol](/openspecs/windows_protocols/ms-kpp/25ff7bd8-50e3-4769-af23-bcfd0b4d4567) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. | | [[MS-OAPX]: OAuth 2.0 Protocol Extensions](/openspecs/windows_protocols/ms-oapx/7612efd4-f4c8-43c3-aed6-f5c5ce359da2)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and log in hints. | | [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](/openspecs/windows_protocols/ms-oapxbc/2f7d8875-0383-4058-956d-2fb216b44706) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (the OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. | From dc7af19c15f782263497997982f3b4079780a57b Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Nov 2022 08:35:39 -0500 Subject: [PATCH 14/29] redirect troubleshoot --- windows/configuration/TOC.yml | 4 +- .../kiosk-additional-reference.md | 2 +- windows/configuration/kiosk-troubleshoot.md | 74 ---- .../start-layout-troubleshoot.md | 329 ------------------ 4 files changed, 3 insertions(+), 406 deletions(-) delete mode 100644 windows/configuration/kiosk-troubleshoot.md delete mode 100644 windows/configuration/start-layout-troubleshoot.md diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index ff2dba8be7..a8f693f75a 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -37,7 +37,7 @@ - name: Use mobile device management (MDM) href: customize-windows-10-start-screens-by-using-mobile-device-management.md - name: Troubleshoot Start menu errors - href: start-layout-troubleshoot.md + href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors.md - name: Changes to Start policies in Windows 10 href: changes-to-start-policies-in-windows-10.md - name: Accessibility settings @@ -89,7 +89,7 @@ - name: Use MDM Bridge WMI Provider to create a Windows client kiosk href: kiosk-mdm-bridge.md - name: Troubleshoot kiosk mode issues - href: kiosk-troubleshoot.md + href: /troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting - name: Configure multi-user and guest devices items: diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 456b4c7a45..64e71445c8 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -32,5 +32,5 @@ Topic | Description [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -[Troubleshoot kiosk mode issues](kiosk-troubleshoot.md) | Tips for troubleshooting multi-app kiosk configuration. +[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting.md) | Tips for troubleshooting multi-app kiosk configuration. diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md deleted file mode 100644 index 3f7f0c8659..0000000000 --- a/windows/configuration/kiosk-troubleshoot.md +++ /dev/null @@ -1,74 +0,0 @@ ---- -title: Troubleshoot kiosk mode issues (Windows 10/11) -description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues. -ms.reviewer: sybruckm -manager: aaroncz -ms.prod: windows-client -author: lizgt2000 -ms.localizationpriority: medium -ms.author: lizlong -ms.topic: article -ms.technology: itpro-configure ---- - -# Troubleshoot kiosk mode issues - - -**Applies to** - -- Windows 10 -- Windows 11 - -## Single-app kiosk issues - ->[!TIP] ->We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem. - -### Sign-in issues - -1. Verify that User Account Control (UAC) is turned on. -2. Check the Event Viewer logs for sign-in issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. - -### Automatic logon issues - -Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. - -## Multi-app kiosk issues - -> [!NOTE] -> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)] - -### Unexpected results - -For example: -- Start is not launched in full-screen -- Blocked hotkeys are allowed -- Task Manager, Cortana, or Settings can be launched -- Start layout has more apps than expected - -**Troubleshooting steps** - -1. [Verify that the provisioning package is applied successfully](kiosk-validate.md). -2. Verify that the account (config) is mapped to a profile in the configuration XML file. -3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration. -4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. - -![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png) - - -### Automatic logon issues - -Check the Event Viewer logs for auto logon issues under **Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational**. - -### Apps configured in AllowedList are blocked - -1. Ensure the account is mapped to the correct profile and that the apps are specific for that profile. -2. Check the EventViewer logs for Applocker and AppxDeployment (under **Application and Services Logs\Microsoft\Windows**). - - -### Start layout not as expected - -- Make sure the Start layout is authored correctly. Ensure that the attributes **Size**, **Row**, and **Column** are specified for each application and are valid. -- Check if the apps included in the Start layout are installed for the assigned access user. -- Check if the shortcut exists on the target device, if a desktop app is missing on Start. - diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md deleted file mode 100644 index 37416c41fa..0000000000 --- a/windows/configuration/start-layout-troubleshoot.md +++ /dev/null @@ -1,329 +0,0 @@ ---- -title: Troubleshoot Start menu errors -description: Learn how to troubleshoot common Start menu errors in Windows 10. For example, learn to troubleshoot errors related to deployment, crashes, and performance. -ms.prod: windows-client -ms.author: lizlong -author: lizgt2000 -ms.localizationpriority: medium -ms.reviewer: -manager: aaroncz -ms.topic: troubleshooting -ms.technology: itpro-configure ---- - -# Troubleshoot Start menu errors - -> [!div class="nextstepaction"] -> Try our Virtual Agent - It can help you quickly identify and fix common Start menu issues. - -Start failures can be organized into these categories: - -- **Deployment/Install issues** - Easiest to identify but difficult to recover. This failure is consistent and usually permanent. Reset, restore from backup, or rollback to recover. -- **Performance issues** - More common with older hardware, low-powered machines. Symptoms include: High CPU utilization, disk contention, memory resources. This makes Start very slow to respond. Behavior is intermittent depending on available resources. -- **Crashes** - Also easy to identify. Crashes in Shell Experience Host or related can be found in System or Application event logs. This can be a code defect or related to missing or altered permissions to files or registry keys by a program or incorrect security tightening configurations. Determining permissions issues can be time consuming but a [SysInternals tool called Procmon](/sysinternals/downloads/procmon) will show **Access Denied**. The other option is to get a dump of the process when it crashes and depending on comfort level, review the dump in the debugger, or have support review the data. -- **Hangs** - in Shell Experience host or related. These are the hardest issues to identify as there are few events logged, but behavior is typically intermittent or recovers with a reboot. If a background application or service hangs, Start won't have resources to respond in time. Clean boot may help identify if the issue is related to additional software. Procmon is also useful in this scenario. -- **Other issues** - Customization, domain policies, deployment issues. - -## Basic troubleshooting - -When troubleshooting basic Start issues (and for the most part, all other Windows apps), there are a few things to check if they aren't working as expected. For issues where the Start menu or subcomponent isn't working, you can do some quick tests to narrow down where the issue may reside. - -### Check the OS and update version - -- Is the system running the latest Feature and Cumulative Monthly update? -- Did the issue start immediately after an update? Ways to check: - - PowerShell:[System.Environment]::OSVersion.Version - - WinVer from CMD.exe - -### Check if Start is installed - -- If Start fails immediately after a feature update, on thing to check is if the App package failed to install successfully. - -- If Start was working and just fails intermittently, it's likely that Start is installed correctly, but the issue occurs downstream. The way to check for this problem is to look for output from these two PowerShell commands: - - - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost` - - `get-AppXPackage -Name Microsoft.Windows.Cortana` - - :::image type="content" alt-text="Example of output from cmdlets." source="images/start-ts-1.png" lightbox="images/start-ts-1.png"::: - - Failure messages will appear if they aren't installed - -- If Start isn't installed, then the fastest resolution is to revert to a known good configuration. This can be rolling back the update, resetting the PC to defaults (where there's a choice to save to delete user data), or restoring from backup. No method is supported to install Start Appx files. The results are often problematic and unreliable. - -### Check if Start is running - -If either component is failing to start on boot, reviewing the event logs for errors or crashes during boot may pin point the problem. Booting with MSCONFIG and using a selective or diagnostic startup option will eliminate and/or identify possible interference from additional applications. -- `get-process -name shellexperiencehost` -- `get-process -name searchui` - -If it's installed but not running, test booting into safe mode or use MSCONFIG to eliminate third-party or additional drivers and applications. - -### Check whether the system a clean install or upgrade - -- Is this system an upgrade or clean install? - - Run `test-path "$env:windir\panther\miglog.xml"` - - If that file doesn't exist, the system is a clean install. -- Upgrade issues can be found by running `test-path "$env:windir\panther\miglog.xml"` - -### Check if Start is registered or activated - -- Export the following Event log to CSV and do a keyword search in a text editor or spreadsheet: - - Microsoft-Windows-TWinUI/Operational for Microsoft.Windows.ShellExperienceHost or Microsoft.Windows.Cortana - - "Package wasn't found" - - "Invalid value for registry" - - "Element not found" - - "Package couldn't be registered" - -If these events are found, Start isn't activated correctly. Each event will have more detail in the description and should be investigated further. Event messages can vary. - -### Other things to consider - -When did the problem start? - -- Top issues for Start menu failure are triggered - - After an update - - After installation of an application - - After joining a domain or applying a domain policy -- Many of those issues are found to be - - Permission changes on Registry keys or folders - - Start or related component crashes or hangs - - Customization failure - -To narrow down the problem further, it's good to note: - -- What is the install background? - - Was this a deployment, install from media, other - - Using customizations? - - DISM - - Group Policy or MDM - - copyprofile - - Sysprep - - Other - -- Domain-joined - - Group policy settings that restrict access or permissions to folders or registry keys can cause issues with Start performance. - - Some Group Policies intended for Windows 7 or older have been known to cause issues with Start - - Untested Start Menu customizations can cause unexpected behavior by typically not complete Start failures. - -- Is the environment virtualized? - - VMware - - Citrix - - Other - -## Check Event logs that record Start Issues: - -- System Event log -- Application Event log -- Microsoft/Windows/Shell-Core* -- Microsoft/Windows/Apps/ -- Microsoft-Windows-TWinUI* -- Microsoft/Windows/AppReadiness* -- Microsoft/Windows/AppXDeployment* -- Microsoft-Windows-PushNotification-Platform/Operational -- Microsoft-Windows-CoreApplication/Operational -- Microsoft-Windows-ShellCommon-StartLayoutPopulation* -- Microsoft-Windows-CloudStore* - - -- Check for crashes that may be related to Start (explorer.exe, taskbar, and so on) - - Application log event 1000, 1001 - - Check WER reports - - C:\ProgramData\Microsoft\Windows\WER\ReportArchive\ - - C:\ProgramData\Micrt\Windowsosof\WER\ReportQueue\ - -If there is a component of Start that is consistently crashing, capture a dump that can be reviewed by Microsoft Support. - -## Common errors and mitigation - -The following list provides information about common errors you might run into with Start Menu, as well as steps to help you mitigate them. - -### Symptom: Start Menu doesn't respond on Windows 2012 R2, Windows 10, or Windows 2016 - -**Cause**: Background Tasks Infrastructure Service (BrokerInfrastructure) service isn't started. - -**Resolution**: Ensure that Background Tasks Infrastructure Service is set to automatic startup in Services MMC. - -If Background Tasks Infrastructure Service fails to start, verify that the Power Dependency Coordinator Driver (PDC) driver and registry key aren't disabled or deleted. If either are missing, restore from backup or the installation media. - -To verify the PDC Service, run `C:\>sc query pdc` in a command prompt. The results will be similar to the following: - ->SERVICE_NAME: pdc ->TYPE : 1 KERNEL_DRIVER ->STATE : 4 RUNNING -> (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) ->WIN32_EXIT_CODE : 0 (0x0) ->SERVICE_EXIT_CODE : 0 (0x0) ->CHECKPOINT : 0x0 ->WAIT_HINT : 0x0 - -The PDC service uses pdc.sys located in the %WinDir%\system32\drivers. - -The PDC registry key is: -`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdc` -**Description**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-101" -**DisplayName**="@%SystemRoot%\\system32\\drivers\\pdc.sys,-100" -**ErrorControl**=dword:00000003 -**Group**="Boot Bus Extender" -**ImagePath**=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\ - 72,00,69,00,76,00,65,00,72,00,73,00,5c,00,70,00,64,00,63,00,2e,00,73,00,79,\ - 00,73,00,00,00 -**Start**=dword:00000000 -**Type**=dword:00000001 - -In addition to the listed dependencies for the service, Background Tasks Infrastructure Service requires the Power Dependency Coordinator Driver to be loaded. If the PDC doesn't load at boot, Background Tasks Infrastructure Service will fail and affect Start Menu. - -Events for both PDC and Background Tasks Infrastructure Service will be recorded in the event logs. PDC shouldn't be disabled or deleted. BrokerInfrastructure is an automatic service. This Service is required for all these operating Systems as running to have a stable Start Menu. - ->[!NOTE] ->You cannot stop this automatic service when machine is running (C:\windows\system32\svchost.exe -k DcomLaunch -p). - - -### Symptom: After upgrading from 1511 to 1607 versions of Windows, the Group Policy "Remove All Programs list from the Start Menu" may not work - -**Cause**: There was a change in the All Apps list between Windows 10, versions 1511 and 1607. These changes mean the original Group Policy and corresponding registry key no longer apply. - -**Resolution**: This issue was resolved in the June 2017 updates. Update Windows 10, version 1607, to the latest cumulative or feature updates. - ->[!NOTE] ->When the Group Policy is enabled, the desired behavior also needs to be selected. By default, it is set to **None**. - - -### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted - -:::image type="content" alt-text="Screenshots that show download icons on app tiles and missing app tiles." source="images/start-ts-2.png" lightbox="images/start-ts-2.png"::: - -**Cause**: This issue is known. The first-time sign-in experience isn't detected and doesn't trigger the install of some apps. - -**Resolution**: This issue has been fixed for Windows 10, version 1709 in [KB 4089848](https://support.microsoft.com/help/4089848) March 22, 2018—KB4089848 (OS Build 16299.334) - -### Symptom: When attempting to customize Start Menu layout, the customizations don't apply or results aren't expected - -**Cause**: There are two main reasons for this issue: - -- Incorrect format: Editing the xml file incorrectly by adding an extra space or spaces, entering a bad character, or saving in the wrong format. - - To tell if the format is incorrect, check for **Event ID: 22** in the "Applications and Services\Microsoft\Windows\ShellCommon-StartLayoutPopulation\Operational" log. - - Event ID 22 is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. - - When editing the xml file, it should be saved in UTF-8 format. - -- Unexpected information: This occurs when possibly trying to add a tile via an unexpected or undocumented method. - - **Event ID: 64** is logged when the xml is valid but has unexpected values. - - For example: The following error occurred while parsing a layout xml file: The attribute 'LayoutCustomizationRestrictiontype' on the element '{http://schemas.microsoft.com/Start/2014/LayoutModification}DefaultLayoutOverride' is not defined in the DTD/Schema. - -XML files can and should be tested locally on a Hyper-V or other virtual machine before deployment or application by Group Policy - -### Symptom: Start menu no longer works after a PC is refreshed using F12 during startup - -**Description**: If a user is having problems with a PC, it can be refreshed, reset, or restored. Refreshing the PC is a beneficial option because it maintains personal files and settings. When users have trouble starting the PC, "Change PC settings" in Settings is not accessible. So, to access the System Refresh, users may use the F12 key at startup. Refreshing the PC finishes, but Start Menu is not accessible. - -**Cause**: This issue is known and was resolved in a cumulative update released August 30, 2018. - -**Resolution**: Install corrective updates; a fix is included in the [September 11, 2018-KB4457142 release](https://support.microsoft.com/help/4457142). - -### Symptom: The All Apps list is missing from Start menu - -**Cause**: “Remove All Programs list from the Start menu" Group Policy is enabled. - -**Resolution**: Disable the “Remove All Programs list from the Start menu" Group Policy. - -### Symptom: Tiles are missing from the Start Menu when using Windows 10, version 1703 or older, Windows Server 2016, and Roaming User Profiles with a Start layout - -**Description**: There are two different Start Menu issues in Windows 10: -- Administrator configured tiles in the start layout fail to roam. -- User-initiated changes to the start layout are not roamed. - -Specifically, behaviors include -- Applications (apps or icons) pinned to the start menu are missing. -- Entire tile window disappears. -- The start button fails to respond. -- If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing. - - -![Example of a working layout.](images/start-ts-3.png) - -*Working layout on first sign-in of a new roaming user profile* - -![Example of a failing layout.](images/start-ts-4.png) - -*Failing layout on subsequent sign-ins* - - -**Cause**: A timing issue exists where the Start Menu is ready before the data is pulled locally from the Roaming User Profile. The issue does not occur on first logons of a new roaming user, as the code path is different and slower. - -**Resolution**: This issue has been resolved in Windows 10, versions 1703 and 1607, cumulative updates [as of March 2017](https://support.microsoft.com/help/4013429). - - -### Symptom: Start Menu layout customizations are lost after upgrading to Windows 10, version 1703 - -**Description**: - -Before the upgrade: - - ![Example of Start screen with customizations applied.](images/start-ts-5.jpg) - -After the upgrade the user pinned tiles are missing: - - ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png) - -Additionally, users may see blank tiles if sign-in was attempted without network connectivity. - - ![Example of blank tiles.](images/start-ts-7.png) - - -**Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676). - -### Symptom: Tiles are missing after upgrade from Windows 10, version 1607 to version 1709 for users with Roaming User Profiles (RUP) enabled and managed Start Menu layout with partial lockdown - -**Resolution** The April 2018 LCU must be applied to Windows 10, version 1709 before a user logs on. - -### Symptom: Start Menu and/or Taskbar layout customizations are not applied if CopyProfile option is used in an answer file during Sysprep - -**Resolution**: CopyProfile is no longer supported when attempting to customize Start Menu or taskbar with a layoutmodification.xml. - -### Symptom: Start Menu issues with Tile Data Layer corruption - -**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database. (The feature was deprecated in [Windows 10 1703](/windows/deployment/planning/windows-10-removed-features).) - -**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed. - -1. The App or Apps work fine when you select the tiles. -2. The tiles are blank, have a generic placeholder icon, have the wrong or strange title information. -3. The app is missing, but listed as installed via PowerShell and works if you launch via URI. - - Example: `windows-feedback://` -4. In some cases, Start can be blank, and Action Center and Cortana do not launch. - ->[!Note] ->Corruption recovery removes any manual pins from Start. Apps should still be visible, but you’ll need to re-pin any secondary tiles and/or pin app tiles to the main Start view. Aps that you have installed that are completely missing from “all apps” is unexpected, however. That implies the re-registration didn’t work. - -Open a command prompt, and run the following command: - -```console -C:\Windows\System32\tdlrecover.exe -reregister -resetlayout -resetcache -``` - -Although a reboot is not required, it may help clear up any residual issues after the command is run. - -### Symptoms: Start Menu and Apps cannot start after upgrade to Windows 10 version 1809 when Symantec Endpoint Protection is installed - -**Description**: Start menu, Search, and Apps do not start after you upgrade a computer running Windows 7 that has Symantec Endpoint Protection installed to Windows 10 version 1809. - -**Cause**: This problem occurs because of a failure to load sysfer.dll. During upgrade, the setup process does not set the privilege group "All Application Packages" on sysfer.dll and other Symantec modules. - -**Resolution** This issue was fixed by the Windows Cumulative Update that were released on December 5, 2018—KB4469342 (OS Build 17763.168). - -If you have already encountered this issue, use one of the following two options to fix the issue: - -**Option 1** Remove sysfer.dll from system32 folder and copy it back. Windows will set privilege automatically. - -**Option 2** - -1. Locate the directory C:\Windows\system32. - -2. Right-click on sysfer.dll and choose **Properties**. - -3. Switch to the **Security** tab. - -4. Confirm that **All Application Packages** group is missing. - -5. Select **Edit**, and then select **Add** to add the group. - -6. Test Start and other Apps. From b4adb02061141145bd50edecc541096c83a44b60 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Nov 2022 08:43:39 -0500 Subject: [PATCH 15/29] fix reference --- windows/configuration/kiosk-prepare.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 8213f557da..350d88e8a6 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -206,7 +206,7 @@ For a more secure kiosk experience, we recommend that you make the following con ## Enable logging -Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. :::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: From f05acc8d16f3fea39ff3a1f3edba7ffb7c699dd9 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 10 Nov 2022 10:28:10 -0500 Subject: [PATCH 16/29] Metadata updates --- education/windows/autopilot-reset.md | 7 ++++--- education/windows/change-home-to-edu.md | 3 +-- education/windows/change-to-pro-education.md | 7 ++++--- education/windows/chromebook-migration-guide.md | 2 +- education/windows/configure-windows-for-education.md | 2 +- .../windows/deploy-windows-10-in-a-school-district.md | 2 +- education/windows/deploy-windows-10-in-a-school.md | 2 +- education/windows/deploy-windows-10-overview.md | 2 +- education/windows/edu-deployment-recommendations.md | 2 +- education/windows/edu-stickers.md | 7 ++++--- education/windows/edu-take-a-test-kiosk-mode.md | 4 +--- education/windows/edu-themes.md | 3 +-- .../windows/education-scenarios-store-for-business.md | 4 +--- education/windows/enable-s-mode-on-surface-go-devices.md | 2 +- education/windows/federated-sign-in.md | 4 ++-- education/windows/get-minecraft-for-education.md | 9 ++++----- education/windows/s-mode-switch-to-edu.md | 2 +- education/windows/school-get-minecraft.md | 7 ++++--- education/windows/set-up-school-pcs-azure-ad-join.md | 2 +- .../windows/set-up-school-pcs-provisioning-package.md | 2 +- education/windows/set-up-school-pcs-technical.md | 2 +- education/windows/set-up-school-pcs-whats-new.md | 3 +-- education/windows/set-up-students-pcs-to-join-domain.md | 2 +- education/windows/set-up-students-pcs-with-apps.md | 2 +- education/windows/set-up-windows-10.md | 2 +- education/windows/take-a-test-app-technical.md | 4 +--- education/windows/take-tests-in-windows.md | 4 +--- education/windows/teacher-get-minecraft.md | 9 ++++----- education/windows/test-windows10s-for-edu.md | 7 ++++--- .../tutorial-school-deployment/configure-device-apps.md | 4 +--- .../configure-device-settings.md | 4 +--- .../configure-devices-overview.md | 4 +--- .../windows/tutorial-school-deployment/enroll-aadj.md | 4 +--- .../tutorial-school-deployment/enroll-autopilot.md | 4 +--- .../tutorial-school-deployment/enroll-overview.md | 4 +--- .../windows/tutorial-school-deployment/enroll-package.md | 4 +--- .../tutorial-school-deployment/manage-overview.md | 6 ++---- .../tutorial-school-deployment/manage-surface-devices.md | 4 ++-- .../windows/tutorial-school-deployment/reset-wipe.md | 4 +--- .../tutorial-school-deployment/troubleshoot-overview.md | 4 +--- education/windows/use-set-up-school-pcs-app.md | 2 +- education/windows/windows-11-se-overview.md | 7 ++++--- education/windows/windows-11-se-settings-list.md | 2 +- .../windows/windows-editions-for-education-customers.md | 2 +- 44 files changed, 71 insertions(+), 98 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index b261f4a4e9..ef0d5e186c 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -3,10 +3,11 @@ title: Reset devices with Autopilot Reset description: Learn about Autopilot Reset and how to enable and use it. ms.date: 08/10/2022 ms.topic: how-to -appliesto: - - ✅ Windows 10 -ms.collection: +appliesto: + - ✅ Windows 10" +ms.collection: - highpri + - education --- # Reset devices with Autopilot Reset diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index d6aa215ab3..1826ecd768 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -8,8 +8,7 @@ ms.author: scbree ms.reviewer: paoloma manager: jeffbu appliesto: -- ✅ Windows 10 -- ✅ Windows 11 + - ✅ Windows 10 and later --- # Upgrade Windows Home to Windows Education on student-owned devices diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index 5deee8e80f..76f00168ee 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -3,10 +3,11 @@ title: Change to Windows 10 Education from Windows 10 Pro description: Learn how IT Pros can opt into changing to Windows 10 Pro Education from Windows 10 Pro. ms.topic: how-to ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 -ms.collection: +appliesto: + - ✅ Windows 10" +ms.collection: - highpri + - education --- # Change to Windows 10 Pro Education from Windows 10 Pro diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md index 0c08e17617..05c7db8963 100644 --- a/education/windows/chromebook-migration-guide.md +++ b/education/windows/chromebook-migration-guide.md @@ -4,7 +4,7 @@ description: Learn how to migrate a Google Chromebook-based learning environment ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Chromebook migration guide diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index 6ef47f7153..587d279c84 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -4,7 +4,7 @@ description: Learn how to configure the OS diagnostic data, consumer experiences ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Windows 10 configuration recommendations for education customers diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md index 6d13cc8c9d..4935d37ed7 100644 --- a/education/windows/deploy-windows-10-in-a-school-district.md +++ b/education/windows/deploy-windows-10-in-a-school-district.md @@ -4,7 +4,7 @@ description: Learn how to deploy Windows 10 in a school district. Integrate the ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Deploy Windows 10 in a school district diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md index cb598bc6fd..1655458c44 100644 --- a/education/windows/deploy-windows-10-in-a-school.md +++ b/education/windows/deploy-windows-10-in-a-school.md @@ -4,7 +4,7 @@ description: Learn how to integrate your school environment with Microsoft Offic ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Deploy Windows 10 in a school diff --git a/education/windows/deploy-windows-10-overview.md b/education/windows/deploy-windows-10-overview.md index 8b772d160c..96d9d002e0 100644 --- a/education/windows/deploy-windows-10-overview.md +++ b/education/windows/deploy-windows-10-overview.md @@ -4,7 +4,7 @@ description: Learn how to use Windows 10 in schools. ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Windows 10 for Education diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index 983f31ed85..17302ec0a3 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -4,7 +4,7 @@ description: Provides guidance on ways to customize the OS privacy settings, and ms.topic: guide ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Deployment recommendations for school IT administrators diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 0c40174ed0..2595b618f0 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -3,10 +3,11 @@ title: Configure Stickers for Windows 11 SE description: Learn about the Stickers feature and how to configure it via Intune and provisioning package. ms.date: 09/15/2022 ms.topic: how-to -appliesto: - - ✅ Windows 11 SE, version 22H2 -ms.collection: +appliesto: + - ✅ Windows 11 SE" +ms.collection: - highpri + - education --- # Configure Stickers for Windows 11 SE diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md index a3d8944c42..85ce5efe26 100644 --- a/education/windows/edu-take-a-test-kiosk-mode.md +++ b/education/windows/edu-take-a-test-kiosk-mode.md @@ -4,9 +4,7 @@ description: Learn how to configure Windows to execute the Take a Test app in ki ms.date: 09/30/2022 ms.topic: how-to appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Configure Take a Test in kiosk mode diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index a477121ca5..1d00d1e8a9 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -4,8 +4,7 @@ description: Learn about education themes for Windows 11 and how to configure th ms.date: 09/15/2022 ms.topic: how-to appliesto: -- ✅ Windows 11, version 22H2 -- ✅ Windows 11 SE, version 22H2 + - ✅ Windows 11 --- # Configure education themes for Windows 11 diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index cf50d7cf3e..1a86e4e1c4 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -4,9 +4,7 @@ description: Learn how IT admins and teachers can use Microsoft Store for Educat ms.topic: article ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Working with Microsoft Store for Education diff --git a/education/windows/enable-s-mode-on-surface-go-devices.md b/education/windows/enable-s-mode-on-surface-go-devices.md index 39f39952b6..6fa45fd3e7 100644 --- a/education/windows/enable-s-mode-on-surface-go-devices.md +++ b/education/windows/enable-s-mode-on-surface-go-devices.md @@ -4,7 +4,7 @@ description: Learn how to enable S mode on Surface Go devices. ms.date: 08/10/2022 ms.topic: how-to appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Surface Go for Education - Enabling S mode diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 0f769a31e1..8159e325ab 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -8,11 +8,11 @@ ms.topic: how-to ms.localizationpriority: medium author: paolomatarazzo ms.author: paoloma -ms.reviewer: +ms.reviewer: manager: aaroncz ms.collection: education appliesto: -- ✅ Windows 11 SE, version 22H2 + - ✅ Windows 11 SE --- diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 3bd2273634..7130259b1a 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -3,12 +3,11 @@ title: Get Minecraft Education Edition description: Learn how to get and distribute Minecraft Education Edition. ms.topic: how-to ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows 11 SE -ms.collection: +appliesto: + - ✅ Windows 10 and later" +ms.collection: - highpri + - education --- # Get Minecraft: Education Edition diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index 612de4cf4c..fafc2716c8 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -4,7 +4,7 @@ description: Learn how to switch out of Windows 10 Pro in S mode to Windows 10 P ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 9ff9ce8dcd..8e26d1acea 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -3,10 +3,11 @@ title: For IT administrators get Minecraft Education Edition description: Learn how IT admins can get and distribute Minecraft in their schools. ms.topic: how-to ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 -ms.collection: +appliesto: + - ✅ Windows 10" +ms.collection: - highpri + - education --- # For IT administrators - get Minecraft: Education Edition diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md index 6eba776f7d..8ba0185e3d 100644 --- a/education/windows/set-up-school-pcs-azure-ad-join.md +++ b/education/windows/set-up-school-pcs-azure-ad-join.md @@ -4,7 +4,7 @@ description: Learn how Azure AD Join is configured in the Set up School PCs app. ms.topic: article ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Azure AD Join for school PCs diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index ffee7c5880..58b9ae8063 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -4,7 +4,7 @@ description: List of the provisioning package settings that are configured in th ms.date: 08/10/2022 ms.topic: reference appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # What's in my provisioning package? diff --git a/education/windows/set-up-school-pcs-technical.md b/education/windows/set-up-school-pcs-technical.md index 9f2ecc9d8e..28907160cb 100644 --- a/education/windows/set-up-school-pcs-technical.md +++ b/education/windows/set-up-school-pcs-technical.md @@ -4,7 +4,7 @@ description: Describes the purpose of the Set up School PCs app for Windows 10 d ms.topic: conceptual ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # What is Set up School PCs? diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index c36b901f8f..2b46d073f5 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -4,8 +4,7 @@ description: Find out about app updates and new features in Set up School PCs. ms.topic: whats-new ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 -- ✅ Windows 11 + - ✅ Windows 10 and later --- # What's new in Set up School PCs diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md index 16f670b6fa..91f2ad28d1 100644 --- a/education/windows/set-up-students-pcs-to-join-domain.md +++ b/education/windows/set-up-students-pcs-to-join-domain.md @@ -4,7 +4,7 @@ description: Learn how to use Windows Configuration Designer to provision studen ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Set up student PCs to join domain diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md index 679bb7206f..cf16da56b2 100644 --- a/education/windows/set-up-students-pcs-with-apps.md +++ b/education/windows/set-up-students-pcs-with-apps.md @@ -4,7 +4,7 @@ description: Learn how to use Windows Configuration Designer to easily provision ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Provision student PCs with apps diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index c137703898..61f6b28d77 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -4,7 +4,7 @@ description: Decide which option for setting up Windows 10 is right for you. ms.topic: article ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Set up Windows devices for education diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md index 9b5498d558..daab02821c 100644 --- a/education/windows/take-a-test-app-technical.md +++ b/education/windows/take-a-test-app-technical.md @@ -4,9 +4,7 @@ description: List of policies and settings applied by the Take a Test app. ms.date: 09/30/2022 ms.topic: reference appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Take a Test app technical reference diff --git a/education/windows/take-tests-in-windows.md b/education/windows/take-tests-in-windows.md index 68472404be..1eea480188 100644 --- a/education/windows/take-tests-in-windows.md +++ b/education/windows/take-tests-in-windows.md @@ -4,9 +4,7 @@ description: Learn about the built-in Take a Test app for Windows and how to use ms.date: 09/30/2022 ms.topic: conceptual appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Take tests and assessments in Windows diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index ee529257c0..685a738970 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -3,12 +3,11 @@ title: For teachers get Minecraft Education Edition description: Learn how teachers can obtain and distribute Minecraft. ms.topic: how-to ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 - - ✅ Windows 11 - - ✅ Windows 11 SE -ms.collection: +appliesto: + - ✅ Windows 10 and later" +ms.collection: - highpri + - education --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index acc6aeb868..a1a41bcf5e 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -3,10 +3,11 @@ title: Test Windows 10 in S mode on existing Windows 10 education devices description: Provides guidance on downloading and testing Windows 10 in S mode for existing Windows 10 education devices. ms.topic: guide ms.date: 08/10/2022 -appliesto: - - ✅ Windows 10 -ms.collection: +appliesto: + - ✅ Windows 10" +ms.collection: - highpri + - education --- # Test Windows 10 in S mode on existing Windows 10 education devices diff --git a/education/windows/tutorial-school-deployment/configure-device-apps.md b/education/windows/tutorial-school-deployment/configure-device-apps.md index 694a87c643..89eb913446 100644 --- a/education/windows/tutorial-school-deployment/configure-device-apps.md +++ b/education/windows/tutorial-school-deployment/configure-device-apps.md @@ -4,9 +4,7 @@ description: Learn how to configure applications with Microsoft Intune in prepar ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Configure applications with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md index d2f56961ab..f70081a995 100644 --- a/education/windows/tutorial-school-deployment/configure-device-settings.md +++ b/education/windows/tutorial-school-deployment/configure-device-settings.md @@ -4,9 +4,7 @@ description: Learn how to configure policies with Microsoft Intune in preparatio ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Configure and secure devices with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md index 32b237ce5a..60bc205647 100644 --- a/education/windows/tutorial-school-deployment/configure-devices-overview.md +++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md @@ -4,9 +4,7 @@ description: Learn how to configure policies and applications in preparation for ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Configure settings and applications with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-aadj.md index 829124e264..ddcb5d2bb8 100644 --- a/education/windows/tutorial-school-deployment/enroll-aadj.md +++ b/education/windows/tutorial-school-deployment/enroll-aadj.md @@ -4,9 +4,7 @@ description: Learn how to join devices to Azure AD from OOBE and automatically g ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Automatic Intune enrollment via Azure AD join diff --git a/education/windows/tutorial-school-deployment/enroll-autopilot.md b/education/windows/tutorial-school-deployment/enroll-autopilot.md index 85c838b402..01394b420a 100644 --- a/education/windows/tutorial-school-deployment/enroll-autopilot.md +++ b/education/windows/tutorial-school-deployment/enroll-autopilot.md @@ -4,9 +4,7 @@ description: Learn how to join Azure AD and enroll in Intune using Windows Autop ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Windows Autopilot diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md index 52fb94bc7a..d816ed1b94 100644 --- a/education/windows/tutorial-school-deployment/enroll-overview.md +++ b/education/windows/tutorial-school-deployment/enroll-overview.md @@ -4,9 +4,7 @@ description: Learn about the different options to enroll Windows devices in Micr ms.date: 08/31/2022 ms.topic: overview appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Device enrollment overview diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md index 2021ec3ff0..9f96234636 100644 --- a/education/windows/tutorial-school-deployment/enroll-package.md +++ b/education/windows/tutorial-school-deployment/enroll-package.md @@ -4,9 +4,7 @@ description: Learn about how to enroll Windows devices with provisioning package ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Enrollment with provisioning packages diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md index db77a8606f..00559d4384 100644 --- a/education/windows/tutorial-school-deployment/manage-overview.md +++ b/education/windows/tutorial-school-deployment/manage-overview.md @@ -1,12 +1,10 @@ --- title: Manage devices with Microsoft Intune -description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. +description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting. ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Manage devices with Microsoft Intune diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md index 7b888d8adb..42dfe281d0 100644 --- a/education/windows/tutorial-school-deployment/manage-surface-devices.md +++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md @@ -3,8 +3,8 @@ title: Management functionalities for Surface devices description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal. ms.date: 08/31/2022 ms.topic: tutorial -appliesto: -- ✅ Surface devices +appliesto: + - [✅ Surface devices] --- # Management functionalities for Surface devices diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md index 7a404f7ecf..b9a1f80094 100644 --- a/education/windows/tutorial-school-deployment/reset-wipe.md +++ b/education/windows/tutorial-school-deployment/reset-wipe.md @@ -4,9 +4,7 @@ description: Learn about the reset and wipe options for Windows devices using In ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Device reset options diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md index 1bf462b5f7..dd9817a5b9 100644 --- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md +++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md @@ -4,9 +4,7 @@ description: Learn how to troubleshoot Windows devices from Intune and contact M ms.date: 08/31/2022 ms.topic: tutorial appliesto: -- ✅ Windows 10 -- ✅ Windows 11 -- ✅ Windows 11 SE + - ✅ Windows 10 and later --- # Troubleshoot Windows devices diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index c54a5ce446..05dbf61f4b 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -4,7 +4,7 @@ description: Learn how to use the Set up School PCs app and apply the provisioni ms.topic: how-to ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Use the Set up School PCs app diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 532654b733..2795af6de3 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -3,10 +3,11 @@ title: Windows 11 SE Overview description: Learn about Windows 11 SE, and the apps that are included with the operating system. ms.topic: article ms.date: 09/12/2022 -appliesto: - - ✅ Windows 11 SE -ms.collection: +appliesto: + - ✅ Windows 11 SE" +ms.collection: - highpri + - education --- # Windows 11 SE Overview diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 7cd1a683ce..774fca45dd 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -4,7 +4,7 @@ description: Windows 11 SE automatically configures settings in the operating sy ms.topic: article ms.date: 09/12/2022 appliesto: -- ✅ Windows 11 SE + - ✅ Windows 11 SE --- # Windows 11 SE for Education settings list diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index 90b399237d..f933dc3465 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -4,7 +4,7 @@ description: Learn about the two Windows 10 editions that are designed for the n ms.topic: article ms.date: 08/10/2022 appliesto: -- ✅ Windows 10 + - ✅ Windows 10 --- # Windows 10 editions for education customers From ad3dd22648591dd60d75abbf47ea59169ebbfc7c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 10 Nov 2022 10:44:05 -0500 Subject: [PATCH 17/29] updates --- education/windows/autopilot-reset.md | 2 +- education/windows/change-to-pro-education.md | 2 +- education/windows/edu-stickers.md | 2 +- education/windows/get-minecraft-for-education.md | 2 +- education/windows/school-get-minecraft.md | 2 +- education/windows/teacher-get-minecraft.md | 2 +- education/windows/test-windows10s-for-edu.md | 2 +- education/windows/tutorial-school-deployment/index.md | 2 ++ .../tutorial-school-deployment/manage-surface-devices.md | 2 +- education/windows/windows-11-se-overview.md | 2 +- 10 files changed, 11 insertions(+), 9 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index ef0d5e186c..0901d32b40 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -4,7 +4,7 @@ description: Learn about Autopilot Reset and how to enable and use it. ms.date: 08/10/2022 ms.topic: how-to appliesto: - - ✅ Windows 10" + - ✅ Windows 10 ms.collection: - highpri - education diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index 76f00168ee..f377a4582c 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -4,7 +4,7 @@ description: Learn how IT Pros can opt into changing to Windows 10 Pro Education ms.topic: how-to ms.date: 08/10/2022 appliesto: - - ✅ Windows 10" + - ✅ Windows 10 ms.collection: - highpri - education diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 2595b618f0..e7bf34ce22 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -4,7 +4,7 @@ description: Learn about the Stickers feature and how to configure it via Intune ms.date: 09/15/2022 ms.topic: how-to appliesto: - - ✅ Windows 11 SE" + - ✅ Windows 11 SE ms.collection: - highpri - education diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 7130259b1a..903d8182e3 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -4,7 +4,7 @@ description: Learn how to get and distribute Minecraft Education Edition. ms.topic: how-to ms.date: 08/10/2022 appliesto: - - ✅ Windows 10 and later" + - ✅ Windows 10 and later ms.collection: - highpri - education diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index 8e26d1acea..fca31b0f6b 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -4,7 +4,7 @@ description: Learn how IT admins can get and distribute Minecraft in their schoo ms.topic: how-to ms.date: 08/10/2022 appliesto: - - ✅ Windows 10" + - ✅ Windows 10 ms.collection: - highpri - education diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 685a738970..df19ac8729 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -4,7 +4,7 @@ description: Learn how teachers can obtain and distribute Minecraft. ms.topic: how-to ms.date: 08/10/2022 appliesto: - - ✅ Windows 10 and later" + - ✅ Windows 10 and later ms.collection: - highpri - education diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index a1a41bcf5e..09f9301130 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -4,7 +4,7 @@ description: Provides guidance on downloading and testing Windows 10 in S mode f ms.topic: guide ms.date: 08/10/2022 appliesto: - - ✅ Windows 10" + - ✅ Windows 10 ms.collection: - highpri - education diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md index 14f76929f4..98574366e1 100644 --- a/education/windows/tutorial-school-deployment/index.md +++ b/education/windows/tutorial-school-deployment/index.md @@ -3,6 +3,8 @@ title: Introduction to the tutorial deploy and manage Windows devices in a schoo description: Introduction to deployment and management of Windows devices in education environments. ms.date: 08/31/2022 ms.topic: conceptual +appliesto: + - ✅ Windows 10 and later --- # Tutorial: deploy and manage Windows devices in a school diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md index 42dfe281d0..e374fd8f7d 100644 --- a/education/windows/tutorial-school-deployment/manage-surface-devices.md +++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md @@ -4,7 +4,7 @@ description: Learn about the management capabilities offered to Surface devices, ms.date: 08/31/2022 ms.topic: tutorial appliesto: - - [✅ Surface devices] + - ✅ Surface devices --- # Management functionalities for Surface devices diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 2795af6de3..4a7f0897d8 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -4,7 +4,7 @@ description: Learn about Windows 11 SE, and the apps that are included with the ms.topic: article ms.date: 09/12/2022 appliesto: - - ✅ Windows 11 SE" + - ✅ Windows 11 SE ms.collection: - highpri - education From 8eb589f2afb580e9ebffd4e8ea9ca7497a16c654 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Nov 2022 11:53:07 -0500 Subject: [PATCH 18/29] fix link --- .openpublishing.redirection.json | 12 +++++++++++- windows/configuration/kiosk-additional-reference.md | 3 +-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index ad456cabb0..c1588e64bc 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20154,6 +20154,16 @@ "source_path": "windows/deployment/update/update-compliance-v2-workbook.md", "redirect_url": "/windows/deployment/update/wufb-reports-workbook", "redirect_document_id": false - } + }, + { + "source_path": "windows/configuration/kiosk-troubleshoot.md", + "redirect_url": "/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting", + "redirect_document_id": false + }, + { + "source_path": "windows/configuration/start-layout-troubleshoot.md", + "redirect_url": "/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors", + "redirect_document_id": false + } ] } \ No newline at end of file diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md index 64e71445c8..fd0756d5ca 100644 --- a/windows/configuration/kiosk-additional-reference.md +++ b/windows/configuration/kiosk-additional-reference.md @@ -32,5 +32,4 @@ Topic | Description [Use AppLocker to create a Windows client kiosk](lock-down-windows-10-applocker.md) | Learn how to use AppLocker to configure a Windows client kiosk device running Enterprise or Education so that users can only run a few specific apps. [Use Shell Launcher to create a Windows client kiosk](kiosk-shelllauncher.md) | Using Shell Launcher, you can configure a kiosk device that runs a Windows application as the user interface. [Use MDM Bridge WMI Provider to create a Windows client kiosk](kiosk-mdm-bridge.md) | Environments that use Windows Management Instrumentation (WMI) can use the MDM Bridge WMI Provider to configure the MDM_AssignedAccess class. -[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting.md) | Tips for troubleshooting multi-app kiosk configuration. - +[Troubleshoot kiosk mode issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) | Tips for troubleshooting multi-app kiosk configuration. \ No newline at end of file From 2a1bc7b64313506e72f41d247bc75aed7a17b16a Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 10 Nov 2022 12:38:53 -0500 Subject: [PATCH 19/29] fix md and deprecation page --- windows/configuration/TOC.yml | 2 +- windows/configuration/kiosk-prepare.md | 2 +- windows/deployment/planning/windows-10-deprecated-features.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index a8f693f75a..979f7648a6 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -37,7 +37,7 @@ - name: Use mobile device management (MDM) href: customize-windows-10-start-screens-by-using-mobile-device-management.md - name: Troubleshoot Start menu errors - href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors.md + href: /troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors - name: Changes to Start policies in Windows 10 href: changes-to-start-policies-in-windows-10.md - name: Accessibility settings diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md index 350d88e8a6..5ac71f90ec 100644 --- a/windows/configuration/kiosk-prepare.md +++ b/windows/configuration/kiosk-prepare.md @@ -206,7 +206,7 @@ For a more secure kiosk experience, we recommend that you make the following con ## Enable logging -Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. +Logs can help you [troubleshoot issues](/troubleshoot/windows-client/shell-experience/kiosk-mode-issues-troubleshooting) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default. :::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot."::: diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md index e2d52b176a..c57fba110d 100644 --- a/windows/deployment/planning/windows-10-deprecated-features.md +++ b/windows/deployment/planning/windows-10-deprecated-features.md @@ -75,7 +75,7 @@ The features in this article are no longer being actively developed, and might b |Windows Hello for Business deployment that uses Microsoft Configuration Manager |Windows Server 2016 Active Directory Federation Services - Registration Authority (ADFS RA) deployment is simpler and provides a better user experience and a more deterministic certificate enrollment experience. | 1709 | |Windows PowerShell 2.0 | Applications and components should be migrated to PowerShell 5.0+. | 1709 | |Apndatabase.xml | Apndatabase.xml is being replaced by the COSA database. Therefore, some constructs will no longer function. This replacement includes Hardware ID, incoming SMS messaging rules in mobile apps, a list of privileged apps in mobile apps, autoconnect order, APN parser, and CDMAProvider ID. | 1703 | -|Tile Data Layer | The [Tile Data Layer](/windows/configuration/start-layout-troubleshoot#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | +|Tile Data Layer | The [Tile Data Layer](/troubleshoot/windows-client/shell-experience/troubleshoot-start-menu-errors#symptom-start-menu-issues-with-tile-data-layer-corruption) database stopped development in Windows 10, version 1703. | 1703 | |TLS DHE_DSS ciphers DisabledByDefault| [TLS RC4 Ciphers](/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) will be disabled by default in this release. | 1703 | |TCPChimney | TCP Chimney Offload is no longer being developed. See [Performance Tuning Network Adapters](/windows-server/networking/technologies/network-subsystem/net-sub-performance-tuning-nics). | 1703 | |IPsec Task Offload| [IPsec Task Offload](/windows-hardware/drivers/network/task-offload) versions 1 and 2 are no longer being developed and shouldn't be used. | 1703 | From f4948d3be74f582c1868453c8bffe9f60d68077b Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 10 Nov 2022 15:38:47 -0500 Subject: [PATCH 20/29] updates --- education/windows/federated-sign-in.md | 5 +++-- .../includes/intune-custom-settings-1.md | 18 ++++++++++++++++++ .../includes/intune-custom-settings-2.md | 11 +++++++++++ .../intune-custom-settings-alternative.md | 8 ++++++++ .../includes/intune-custom-settings-info.md | 8 ++++++++ .../includes/intune-settings-catalog-1.md | 18 ++++++++++++++++++ .../includes/intune-settings-catalog-2.md | 11 +++++++++++ .../includes/intune-settings-catalog-info.md | 8 ++++++++ .../hello-for-business/hello-how-it-works.md | 7 +++---- .../hello-hybrid-cloud-kerberos-trust.md | 11 ++++++++--- 10 files changed, 96 insertions(+), 9 deletions(-) create mode 100644 education/windows/includes/intune-custom-settings-1.md create mode 100644 education/windows/includes/intune-custom-settings-2.md create mode 100644 education/windows/includes/intune-custom-settings-alternative.md create mode 100644 education/windows/includes/intune-custom-settings-info.md create mode 100644 education/windows/includes/intune-settings-catalog-1.md create mode 100644 education/windows/includes/intune-settings-catalog-2.md create mode 100644 education/windows/includes/intune-settings-catalog-info.md diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 8159e325ab..94f34b5942 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -57,7 +57,7 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] To sign-in with a SAML 2.0 identity provider, your devices must be configured with different policies, which can be configured using Microsoft Intune. -To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings: +[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)] | Setting | |--------| @@ -68,7 +68,8 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile] :::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true"::: -Assign the policy to a security group that contains as members the devices that require federated sign-in. +[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)] +[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]