From d07b0d86f6869b9e1b4e902f7601b8bc4682eecb Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 22 Sep 2021 14:39:09 +0300 Subject: [PATCH 01/62] Update token elevation type values https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9920 --- .../threat-protection/auditing/event-4688.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index fbb93d7b9b..22f0be469e 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -154,11 +154,11 @@ This event generates every time a new process starts. - **Token Elevation Type** \[Type = UnicodeString\]**:** - - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. + - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. - - **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. + - **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. - - **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. + - **%%1938:** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. - **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values: @@ -207,10 +207,10 @@ For 4688(S): A new process has been created. - It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. +- Monitor for **Token Elevation Type** with value **%%1936** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. -- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges. +- Monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges. -- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. +- You can also monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. -- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event. \ No newline at end of file +- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event. From 356e56d25d3fce5fc4db68c9b5c94fff29f77a20 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 23 Sep 2021 09:21:09 +0300 Subject: [PATCH 02/62] Update windows/security/threat-protection/auditing/event-4688.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/threat-protection/auditing/event-4688.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 22f0be469e..1aae0dcddb 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -154,7 +154,7 @@ This event generates every time a new process starts. - **Token Elevation Type** \[Type = UnicodeString\]**:** - - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. + - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC is disabled by default), service account, or local system account. - **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. From ea2b7b49f1ade6c716337155869509e06ab01010 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 31 Oct 2021 14:09:51 +0500 Subject: [PATCH 03/62] Update update-compliance-using.md --- windows/deployment/update/update-compliance-using.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index d27fd0af96..8fb4f00faf 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -56,7 +56,6 @@ When you select this tile, you will be redirected to the Update Compliance works Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. -* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus. The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). @@ -66,7 +65,6 @@ The following is a breakdown of the different sections available in Update Compl * [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment. * [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. - ## Update Compliance data latency Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. @@ -93,4 +91,4 @@ See below for a few topics related to Log Analytics: ## Related topics -[Get started with Update Compliance](update-compliance-get-started.md) \ No newline at end of file +[Get started with Update Compliance](update-compliance-get-started.md) From a4d8ac7e34690842c5bd41ffed6ad41f22aff6e2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 31 Oct 2021 14:11:24 +0500 Subject: [PATCH 04/62] Delete UC_workspace_overview_blade.PNG --- .../images/UC_workspace_overview_blade.PNG | Bin 25858 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/deployment/update/images/UC_workspace_overview_blade.PNG diff --git a/windows/deployment/update/images/UC_workspace_overview_blade.PNG b/windows/deployment/update/images/UC_workspace_overview_blade.PNG deleted file mode 100644 index beb04cdc18268b912194ad492c6a28329bd4aaac..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25858 zcmdqJcT`hhvo{JVU;|VXkgB2}(z_rK5v3-CBE3qGYCy!$NfZ@Dng~b-5eS4(M0yu# z(pvx_6eSc1280kG34t%5?|a_!o^#i|>)dtM{qFt4y~!@~%ri63JoB5GZMdO$UUuhi^bS)rd8eT=nlF%b+ZuQM?FbFDGX9Z()lP&ov3o}a@r9;glAt1b z`4q(a@ee)5A7>a(2!(#Ucl*KzqFNAne}B z(67<=!_6TdKQ6a&-qtdKF}wE$jxLv(0j7co4b-#-@ak$F-dbg%1lb08c;@>#nPaVgotT zLV~aEE_7VUg5Ryt22s=qdx>661($wu$B%D8Q#YmjQ0AIemSFhsSo7V~5*}-;XWp1E zN=mrHW8&Nfl#~N_hmveeP)(3cZzS`NnPo)}7^t-Ovw%fngobDI0O_|TbLvSU^NUl_ z!}#m3a8+84e4o@yeHZ6n_>17gx?(sorJ_^o?TuA=XJgY&G}@ZVj=J~7NNMwpWr1Y8 ztc2wSdHOJI8r{OLQXf|wzAn>}1Xfu~ko}VL>9EU36(0OX2rkT8PB#cNkiVdgeC-CZ z&00wbKQkK(9u-%w2LO!)zo-`tOkd8B0f;JHDk*=^{QMR+z{Wf#LN!DZ&jm9fr{Dr zjqcj5eYnF45OrAQ=>%e`|RP?(9S;X68Pfcwa7NF1wyamw3tA^3=buxGArPhS%;ZI$Y4!a z*ywlUw8xz{{QY3pZ){}TbDg_sO-(Al=G=?rHk#uXnNjMSIih2%qlKC9huw$A*dI$a z=a;WHa+lU}_F>AB$cj$uq&e7KT&%$+Qjv)Xr+aSwx8e&Q3G`6^ubt$OHmyVfG~d>| z;kacoX^pe%9`@|wMv_A%XzeR?bYQGJYUmrO1CLGJ0KZni)N=M~ucix$PW**V)Up60n*6l`RbuBy=SrPEiB z`LRjBNaxu~V)&Rje=qFqEj2B;bbIj9E_}ZGwD4;O#o*byy;lhOp2r)6?^o2P(B2+% z)`PTTZ+1->$qrKGpSjOuU!$GwDvr2gOPPScQ#%U0gSF;Eeq+7U79bz#O8kVMNZQK# z)WmM$g4Ny2@xNK*anxk&xJaY(M^okpHVQcbIw;Xxa!xqsa5vJ(n6446!kA!b;r2F) zD4VmC`MVOa_#a&$5v|dt0X6{25daEk7GLjlA6|sbL*pXFH(r3Z51D`+&19YyD7Oas zTO~$MaCCJ?zMPxj=(p!gOxdWXEh#U@+KXibjS7q|zUg1>c05N#Uy0&)C#=+&12Rqv zqRT1wELQqm&ZBjrTSArj>umY<_nQi7DBiZXjsza)UA_VGktpGJ5zH^HU&sm1F*SY( znz702<)9{Rpv|KPh zgs?f*NJgDi5}KMxf$XH^yv3J9KcnmzfCwbFV5~djy+S0)qm4Mqhkhf)=LgA^tOP*~ zoR)jB9%minkxS>TU9VO+;0?vr<4&NH0=Uc~g$&^`PZvPaFxNxp%okvpSF;q)nUgJY z`PW9BcvzSkDn-qyN5o5%4ZJ1)Yc5Tk&i1X=7wy;Jz}~ z@fPeuk|%M97*x;Fcgx5#>yXa88V5WB!$+MbsKX35U($~QpU<lS^384rP%6mCKb#{Nh~-}-Un?ELyi0AhREfDgG3qY9WK&kJx}s%0(wu?IJ(;A! zz^W5wpyw(J^E??&mOdkd=CN(tR<%@@y)qsBEVaaVd315%eXon0T-v~B0G;(SxNiow zO`a~Unm^+dI=?C2OWhJ0aKbyK9Z8tq>+9@N2u3xgK$h1jrCn zv&R@W=1_%wLs(b>^ssD|b7$v5LN# z6S9~dKu+p>T8Gs>Jn^1MQ}@lu^wy)u1?)2Q?hSPm0OZ>wXS z7KC{2>eCr;ylvt`bKZXJ;nOXb@fu@Rq3sD=8ZR83?&JpF^qK%$W$KPhl} zk#XNh=;n}fMD{|ZN+i1Ui*8DC*<-L;!;9IkAjwIeQPTQIfjtwiEb%0IC;Y*>6!omg*g*t&^mUrGI*$M8mor83y@?(p!5~O}Z7ktWP$x`s)WEG>c zLg_I8+Lw--zNfzn+slv)!P7I3=teGo;k?SRv-^i0vA-fZa-1%wBMayLn$aO9I@v?S zJFtamo zLxg)UxZ^g8uv!VtD*MT6=|{Pq%AMWeV~}0}#-oPSe7t(p%<;P!H`6k(P^86fsHI?lG&7&yf^DvTFf69R1#QiB%ye&^=d_jn^p z_#@TcS|%QU($>|QqViMy&);;FJm%~y)Mxta$b@85iEtXtrIS8n!jgVRcG;Nmqs3Fy zv%X8oFcgDD;b)A7OKeZ=T?TP82mJf8zhgXj2)?jeFuTg^TZ;cmZxo(x7tAFxe?%o2W)B3f}O#V(s;Q*Z$!TXB(qvUyD1}b%I_4w8> zf5OQ1WEI3Yum2)rIu9g)t&X<6$cg!8#M{#CH~%5l-~BPrzgO9S4R>;yE&l50j}<9PlQ?6UA%D&3 zFPEP&*0*^g|6223D?DuCb^3oFfG%PpS=1P0X$C*40cO& z#jhyTxg>D~mxf4_?u7rxeKs@vA($8`fJR?}^aXzEpQd{ynraNqV<)%pgU8Ldk#e2X|E8Vl~Q%>Ms+@J5iz351Ha<}QuM=#Rn zzZp@6KHE!lKX|3R<}L^GU!(d5tNR2G1abyvQ*i9?pEaLwo$j{&LGVDH;og$_f;zA% zJwCdv{e$2?xZ9WWfe-nogy{tTOpDIlz8HgUm7M;#>fjZ4hv6dK|NI|LO<*9Ren-qN zr~z(HH|jGie>FfyUXVy~+b|jn=Ity~ zst%Wb_wyLw_go)beDqLUh-6Au<;+dTscxzetrD_J6}Pbwe$}Z6OL;idnP;kbKliH{ zSG-7aVGr@l`Gn(zQu#gPLEPO^?QQ3kYx%*~%1bwG2|3MR! zss-I}n^0(Negm|17n*Uwz1d7i=g{MK)LU!R(9e^*@rkIX%e_DRL)<$`7w(<7-POtw zxM7pn2|iBqYc1`c+m+fEm>UR=3(HQWmDF|b9}~K63O_;}@x!>Ad2;i_M{hYAx04>2 zi0pKp6p-x{vbbnT?o)KpqNyM~tyl(X0J{fT;saBi)rX0DaGa7lxmcaVJ zQTW-V^Isb_^PY7MKe!xxh`eJ-wFm?RMB4D!G25&0TsaqWXezOg6$S-vriQ3yxIKUX z0}8LQifM`|Wp%1^!Q?x7JH(@6fYL64BAim1kJj>)GYk3e*WQ^k4nUM{q;()Xh^PN{W&}?@O;@u_84|rrY}p#g z!g)ZcVudM*VK#A!|@tq8)Zpons{Tqw?)=ZMRT5u z2b@F9;B3k}Z zEPItBzKJ@uis_bWdT{*tg`=TbLhJVqQUZY~l+HL2kjCQ|PyX{|de-_>x&Pm^^=lvv z5j2N*y8noHXQt0VmYOsCGNO-ZKd)_d`R$G}*M3slHCAVR(MBSbvN%G_L!dJd1}cgM zDT}_l*#3A5&33(1abwcNeU$bEm=4#QIvZ`&Gzsr5ML+`TZ(&!AJ8V=g<>cbd6_f^U zZ%KmR?z-Uby%Sb83x5e+{uPu7-kjN(_OcDbm-;$U)7!&3ir_YenQFSb6GWr9ulg<|)$J#~tc&(iDN(oN#jZy87gB#jU%Eryp zcB}F%_J(CSbVIT}rHiWV*f|?a7rvzwxdjT9x6`a)zqTxc<5XFp1sooUk0(>s`yV%; zM2XzOAr7)oPKY%^{mgx+e%COp4^O-_AC%-Mze;4Z5r5!s}! z*TxUbZB^%JXA>XiF1JRa&)m2u+%R-^Vn#pNdsI{+5twYhlcTQGTDckAT0RSJgmw*Z zrRMNoo>EL-2!Q??@i`3oKo@z1G}7R35~ptT<68k&1?T-zZ?`>JKlZh1YDQjz?_A68 z9Xs&ZQG=BCj7oz&de^=$>tMO4&0EWlX1aw{%pu}Kn;j6NkrPodjI`AD3`*PZXo~k4 zZDDthTtSTaMTzk9Hf?WwOoj_K+FIKaZHI-=01_MfE4+)Yxup&i7u++)&SLEl>W)^~ z^#Y9qd?&=YyHV^sdcaAauJ{v8#xBolR4(d(?$2?Ac@58`INU1l6;Tx%P71YQ$+U2z zuKTvtih>Kr&If;U?!q=>ld3W&l9E|bowxJ(*ODZprZ{`F#Cj7~N|GSbwGR+OTo=7O z-K}QHN{eA{`oVYV)o$^>eOq}f;LDn!uYzwQ0kkNzGTepNbzE829omj?X-*3j)}kxl zO4=k(gU|cfH0V3#dJ40*`n_#mT5ERTP+CR+<6T#Omh8?P@xF(5cIRdu z;X6#81k#hr#X)zHcUwQ3E!>(?58*-h0;P3oJFJzJ7F3Z?{#K0JjrOQnt1-nO@$cQ| z@Ne!uz~8ec*=$!TWwIk5L|(xOMRF-h=7!X(x?Z|M_9d9zK1}dg-QC2y;~i! zL$%rYge=y(UZVmk0uWPE_h7RTRg5_*%1XDVjJOcrJ~rBk6W)>_G%YO}A~Qx>Iu6qa z6DHv&{e2JNd|ON5 zegH>K$B1h1tT60~ef+wj$M9^-cyg!yZx!yW-ry$5s-+0yX*lRXHngcod%{`I@zk;| zHEE@vb%fhhOJ1l`$JKs1LtG#%DW*zWRz)RarN12vIvMwf#Qn85{Y8iZNytzCJkQjgpIl=R|4CIv)+?G@zT$L1|9n zjP7pQiT%10Ml2phb0mxF?%yXd*(7~`_!%HI)r3M zRqSxN6!NN_2|n8|p3=AXpwfPCZRT|VWl*gut>_&v))}MLSt>H3Rko)`nt}IhRpkz? z+nekWe2Sy0R7Lp&qXe3$dRSz?+Is=6X!c78Nkw%@!Iu~E)nWyus!_vSAAJ0F!6+1m zXKFMnHP=m^R5rro*VG;z6^;U^b4-{w{Jz~1qji_;hMyd6SK9N z)Sb-n4+L{#*WbNP4Rp7{-NRRg$hl{GxCH)qN-v|zC($3pV3r~bJ*TxoQE_(E@x3eW zj6OJAuBtxgU7dd6eDVxe8%S~T?a^5=4`1FF8#Q7hObe^R*^fzsP_8D&lJXdj?An}9 z{S`kt*sCcY>H|`^gAMGj`%`zkFJ`)F=BkmIhOTj!i;1+3>wjf8dHJ5qMP3V~@1C~Z z*A|L)3HO3d2xGx+xw3k#QLTH>C>14=>xa?DLpZY9!bj-JGi}W+uBWa~SdlA{CI$US zQ5zHs#5bU&QemfFVr_O#O7GTGGU}ylz3$j3>b~O{Tyn?dO{UQIJOkNhUU@D6A}$A;(bjdU)=aJSAM671(hU}JWgSQN za`pg{{heV&6-s`>V_?L(-hD-s`{lv2MQO1C91!%>)y%v^4Y}bH)H&6fAC~iBw$Av* zLe~jYm?A0V#9d>reLa>xyacd2Ws)a&PB+Z+#2^jPOT<2gXM>6KtB1lv01#AnoCZg)V*9a%%l?g3v%@>Q&RmNM$+UlQt+k;+BomC6IzET6lkQ1;hPFSViBKaWz%;vM*ttKC2BHgWbjCO zs-#?%=k6SlJ-^9Ir!MJ^mO+?$40){ni4=~>tCh&>@T|_vw>5^) z;9sDvD@%fy=?-TbiYXq6aK7KLC512PZJTwh2(Ia`GcMZcV&^d@*$zmz8^BM}!{7Wn zG>s{rh=z(Yf+kK#yP7VGyhPuRmh6GNlw8o!DZ5 zZ6&6oMEbL>P3_$-E|WVNJ-aQ|Bw$Ss>pgf{|G{Pc*2v7{_r@br8+X4oEqW zt)3&1098nMTk+QTZh>$wMwiBONi z=#`@!93Wqc`>>dl#6ZT1clOgd-&c6=C3@}XZ^}m)AZGSr>sROHR!X&q^Gmp<0#T(9 zy#=rt-PnNxRD0L^eVO(m&k~0MVg>z1F>Ve?;aoipDM%w4_xEopSJXJ$;oP!@H_Bu= z4QZ(==Oy=GkVdtnpBYlX`U2Wsa3*CkvrPN^(ptNir^#MO38MDO7+tFkb>F({%?jpk zQE2_Nn<3l?aIN%0k3%)8BPCD{< z!43ogJxOH-eg8-}DUFPgzU!u3KkF zq-*H%C48qEf?N?60U?2=J_B)*nNGn&F37WYU{1n`shVb0GS3Si z%w)LYd&Jj2m95Xd9^6ZxKXwVy2~6J-9q*eE=<4m#i5HB(E*xsZ0zcHcQ%%$acR~}p zZ7ej;H?jttEF-jAj4q-TV77MCjo%h1-+phLno}suiu)RKqsBNdd_L+iBuX?%_Z_ce zEb2s@TuyKA({4fiVNB{16X=b!9(SWu6J2ZKr?LW_;3w<>r5{G&QX@H@MQAt17&pyess4B z@H?lmYG0Ioj|VW7H#$e94E)rauW=FeBhSW8E%JYO=ef+&J zF{sk0ZDz?RMr?lVx?(GH=#fDxX3Rc>@Hx!j5@6-08p+racT}+LP77|S!Czf1JWfi_ zZKzCEj3brzb|VjnD9n{)m@$)C*|0KuU-GOvcv_?q8abJ8UsCnKNLu_4BG0^5f+tZ{ z7j?RWmSqEZ3rDnY<*GJ$qAgserDnWJSDa1Q1AsvHXyrEI03Yws6!us_aP>han)ZJa zhVJiEp(>ZwAqQ=2+P4op-ckIkuLmwvga7n_)47l@bO{i4K;-XE@%~?9+5d-$Sj&;j z?E>zo?d=c`g7ez~K=|ZqR1;~`8vm^ng0C2}d$ymsxUl}69*|e_n;`aRTO)#d+uATZ zM)W8>YjNZf`|idt7%Kz2c4WWB!mSN66SS&k&d0#;#AvNkB(vNPyx)7_>PE;=QKKDV zU~njZL*LgJ8Qu&1&(D4sObnWTx!+75SzT;=Bf75T#Mjbv^Kr`9s&U6;V{SJ}#iJoNy3&{#u3PBxTS|Fx+jEYAplIq@nv$5dkz()dM}yR3&Vx&-Nmx8A>B8 za8hPw#o_fWz8;x-dvAODlf>PUb9jam&F}(0cD`BYRE^{Zy8#lg)HGA-rE-=hcMg%g zl~z$A$T!J)p2GLAxhLW#p>?=<*Qr3Mj`Va!JG3zj-tZIN(K@pArN*`X4Y&$HQp`9}rFudyfJREFHhl?@R&I`-)SmM(Ho|K51hidsl&`PW6Tf*JW96m z264L5>s;`C4`y2n<;2E=Lyi2)9xc_Jp7_*o&y^L5ub&o2MECbk2(E|8T4HT119-fi zB>1`|?~YVp$E;;wD1O%J_1QaDDlHqO+qSVd@49JBP+Hl8!n?%7AFD3_R=(?{gKUsa zA7l?loaqt0sw9g}?nSM=2nHehdUeFgBNF(dikVTg@YpVy?;)2%OY0zV;iz0fV9xg7Ak<~J zDP}n3L6@}xA%q^#53q?8w} zV2kWHH4YS81 zaYhpunM0tZ<$kvEO-(>hACVhGvHqq^}nJ<(_ z+RbK1!%PyF&QZBlY9SU7kps1bEwqH#m$l!ZK}olwTz0n&0@vFBrH-rtOA`|ACBLih z9SRz9c5i8Ef6p2cGVY%F+R|tB9=#3RRBCndtU!cKV58j#z|Zl4XU9p%A4z3P|kNNk)=sTnxbT>cfqDuy9=wZm&+M(wPy0^+M)L zgb_3kds~Snt$xR6jA>WncG2~PVSH?e zHje%ItKpIktW;;nHV(g9VuyMsZjG+w+wfRYhHcwX(Siv}Uc8%mhnkK%q}q*TNl&<+RxSiTmX0eH%DOfdNOQuT#vAw8|nCf4vnnN*l>M zf;2~$XlajqvyU5!lOIE@X3naSWI|X@7WI&c%TB*RZv_4NFrEH8N4_HjCsnt(F4B_5 z{lTAqTz%bQ$ko3VHFH(U^^Q!I6o>ZO#CL};tXsoi0n?z>S|i&p8G*?uc4)<(U&j6Q zeTY@Cju`Bv-P9^XikOnpXalWZ7A0xfJ^zuTQVxqs84_E6ZQkFIy*UFfQW>k)c79<6 z&)xY_Vl-Tm#X;Y}@8JVKv&&t)hv!UE0rHEVe8#P!0iSHfO6{73zmwr=uyv9Z&wQ8p zSw5MjzLxlC2lqj}Q7HMz5<>oml(d`j-4fb@dU}1m+M0>hP=<8)i@<9+Zq3bs+Gkx z#KXtdQifSs9WLq?$Z73v(&kE(-L6ziECnqE=uM=Oj68i(0Q7LB%|{EnRBC7^i!^>4 z7$@^)te1MMJ^9|rbo!Q8i5h+`eRv9V$@u;Uk6S9tsh2C9h36tTqDIa;iSS6p%q+79 z$PNDM9_JxZpw7bvL9Mca=URX^KiJ!TSlwYx-Hiju)K^n~G$%J!3rHfB`{5(ST z&I3*H3WK--qT4f!_b#1F4wQ`*_dYZV@{LkbZ)O15W!Zd~{wUrR66xLZsG z?BOZATh?-{q~CB13B|0^$C_szXri7R9}f0R%c!N1m49H#rR9-&zztRIV91G+_zVaA=Zn^&Vk_xQ7PKleTtc9<*%{$!Yk zaEzUg?se&YLma$4Lby;`d0Vp^3(4|*l_`HcR8$9=RqG$TU0O>|CAc-k`QAs`4LRG{ zgH4of4}aJgVlpgNQY#TQYu<58=JfpH#w(%HAc@d!F)>wb_kHltWRW(vHiz)oPWrGJ zrhb1>UU{__!X7EIp-x&ZX@WawiqNB7cRcw>McmimlSOjeN&!0^rs@|9I8yFKUVN7h zH|oN}Iy9%kvnQ8Wp)X0Daovat&rG> z9-=w!EkQ1a5F-;!vTWNGAyIbMEtY&cyx+zoV=y@K*Dfx}tBi2AvE|xN36zr__P=6~ zzQDD{i8~sqV0HC+woEhh8SuazI&XV-L>Y*89-Ur^*g16Q=8XebzDGbvacclUUbKvlQ7kK=iywFR5RD9k@$g+)sF(ex;hUQ+>_^v0PMz zDTQ=kJW3jv=>>(Tn{&;Ah#l`6$lYD)DjKl67K6v2{uD@V3+ycAWmZD)caPFB)Zj23 zj%`f`6o3)L^PZ^k=eP?$qK0M(Or_l~Eay>UZ~wo-XgCW_kzh zw;P{4OkTU4QVS4h1r|K&IS-V+jD+1_zsssLY4;HgPF=lL(U*H7?3`KA`0nvsq$jI4 z9Xs`L&p#T5xB8MTbZI$(^Sfj7;bLn??&S*PH%M?$1@Dk^X|*LRL)#o#AuEo?lXeW8 z=jS>&T=321Q%4dbWdNLJ?-CLU9I8K{h85+;CMS8!Khu(HEj*_=?ZMYqx*x)7a1~3I zH;D50>YNn>a2In=o8cuhbg5r_1rCEa5trOd;FBAoNG1mvO}MItef&^skrJ!t-KUeS z*N~$xQF4dT+(uVLY)!2x3NSn7ez8Oo=m|~vn+;Q#y@6=w?77AK6!X{5uEeM3tdM|s`ZQu=MRR&fHREt{;03#Qy?!PJdVIguI%BdpN4_;-WzydrAw1%Q&q_;) z(0}npJ;nB_Qu!60_!2R&306=7?=wC6(bfZRd;?$VHqLZ``{PVvYM>`YysPX zuum`%7<*Z-nxyjc(1F~;Wu%kKCmE_k@8t$S$vr@~nT4WGJsBlEusjec3~^!>&jVvm zC)iy-Kt#HQfe9B$0I6Zo?(y6Dv=?T`q0RE8 z27ht$Vl!g8XgQ_~&GGE{{Pit=cFV&M?(<7`41{`+W!dsn21 z#{yc)3jI!M7&}BziI#CN-^A#_R+!KbWnN#Dy>y5A=2r#Ex8oJQ%Q!qLPte?2GFP$K z2x~uA2{-1SsMP}5ZaohiBP`M7Nbkk}eDnD#0NIqa8FbiXp>82ad(t36!8+u@$QULg zTd*{No}T`hJ(1hsY|!w#Xr%A+s)eay=QR7AIDnZHY~iKDXPjt?CXZ% z$t5@3V^U5tBp+nZ#>IxQ|_kK)U7Y)wr2$8a|=D_(ubFJ&X=!u}WzOF49qgW-H z;fp$eXKo{9x+M@|P(_suIqiSF=Dr-;o2*ROs3pEjtc35|LB^lqNplh{mU5=(eWGn~ zC4lGwv*KM~k($aYmZlC_^S-Q{2wGkC-IXVw8HSGs+-w+j`X~ZZYp+I&!ASTJ_X_0& z)|upe6^%^oon1vq)ft8C*@kTVY@u9|{+joK{4z4_WC-`)@SWLtg&>I9<7xc-m@-ph zw700gV?CraBErGcC{wYF~{D~d;EPM7^N+J;5$! zU0`hKT}=m1?+j(Qd9e!JkpZ_-t0X;wtl&1fXEmb!kpG$aFq0~Ud8R$34!+L0>a*I^ z%Tu+X8c6g|OG&;_JyKk$q*^fjm|9SeZbVESS7;!;sd@iR>QPhS=5wl=HpWkC#kBp4 z+^d6v79#_Vh_t_$n53fij%S*~FB@C%wO-W0Z~u`~UP+XaJUc6$2%ktp1u2$iyV?exReZ)Bi+k z6DPyY??}T=07J4YRFP~8FEtLJ$aex40)4w1=+Iy*A8V;D0kCwP-42=M5_LNJYdg9% z{#(%n3B*&~?yNvUq9Q75ZL{@QM!5)gnj!dwJgbtn2U}p=Z(%@~T{&^%NJPqcq@uJvo)xrul7H@7RvL3zD6Y7bT<#SK3A9lNsntPt86FiXQ0 zb{I*+$o1hNh2bm~HYeTpk;!7y)!gPxpup)H=N(mU#P0YyIv=xCcj5C*?fT9UF*G#S zy;(NmBA-wW2Tw=8$w;^e>Fy>{pdP1C;d3yK3h(bEmv*zUh1yS!Cy%^^Q~XsPX~Hg( zoZQxHw-srzJq(4A^5z4Z;7 z^hCkFEHsumP^ZIz+1SJRR^xTDWx9s%t@ZWohTS(+&bN57JGtM1a)&u(>QcS`0l0tvv&TMRgScyf2e?}p+Ua~P=pqqlf>*itx|CBB` z{9NU6(~!Rl7b_RKetIrgzWuN`bC|+DAH&EM);MNB=FwRvzE(_4=k*Wgoy0_btPN$wnt ztwLRtd|r~x<7FmT(S+>PZJh9b(soF#_jsh!_>lGofXax1M+pzf2th$`t76iEBiG&s!N?0djxUx`e$XEY5>+BScxxp zOT`6TcBKFJ3a@>jHu*)%F#fEQ&c9PG3v_bjlAw_^KPW1kC5i7Z{DM4{f&I9}bTi@r zT3H;Wr;`~EaM#CEpE1pcZqkca^p@Y~|NYLBDX6CPE-^fLF_Yd-yI-ktSjU+GX+>4j z#vRf8CM6AMSDAU8^6-4Y+bh3B%HSa8)7rPJ?ZTEr|3g8^tgoYCjz zB5?#ymD%-1{i4*ZPh~zosF%|q>YN3wKD@Ami9r_~#w0I#t)t2~QCL#$s(R=AiO=sN z<4`^=_q6suHeT3N6iOJDCA#8&90KV9Ym4nci<0e9d_K@EY)Fg{Kp>)@h2cIunbD77 zD*GO%YEWMpAvF4X#POW-fdWy9gCBZ~^j(X<(bf@~+7N+4Txs#7o zB3Wm=RSy8KQ*Gw1cY5}_W7ITKu6X@Jq4GB6*2E5nmZPwxpnvUi$_Z1_=B)~7d;GV& zlnVlJU2qjAtV%X6fe#E6LwhwuCz5ZZ+;@e%0W9Fz0)DRYXg((7Rljx?<8~(&C4O7M zGa0=Kj|i!dQfw+mO!XbkN;A}+cQp2CWN@JKz8+x=@a}oP6{iWdxY221LgG-KT8JA# zvNNyrTzIfZuK3j&88-lKd=u8?K)5u^^abSTydGc;vfA={T~g+bMxO*ZjNTjWpfG%-b2Nl$c|H)g@IKX0o^fX`McE?#Hca>u_|qi!D{(Mb(|f6R zEom%qNkk^WROW?Mj<2$R(DO>NN~DofnDMx9@cFY+Km5;tMLBf^E>34j!8(|NlNb2T zJW@UL>}$t-VjGjcj&O49ax>Cl7NzD(5U)t;;Xm&{Sj$xz!+S zsjkcFmQk(>PH8u|J5~9tvOYO|a|TA4nb^EfHNk_@t3)K|pPg3qJ--|)b8PL@GOko- zecM<6Lt}h$U_U${c&e6gBk=sA7vDHDwdG+l&X%fFY1k$1ptoF4j?#NPKn+X6I z({sfuYfjLQByW?7fP&H=M;C?i6eSZ_Aza2t@UDUcNs&UnAW z_&Fu=QTFi1?b|hv?mUa{RwQr^Ew;ZKtMVj{>IuM`Sqp9mo=1rypI83=R<`+ytKiAx z>Sged((8LA#5d9W)@CUpF<=G7ok<1%;qN&mizsxH9MhQO|4$$V!z4#nQV{_DQ{w|u()R&JS0K3;aCh~(kAm2J$Uq`$m3gbA zIY~O#HmkULi;1*6>&NnJBXNkIY`gc38S3W3J5k=oGYSd_&2huM;Y@LfBiu|&B*<|W77=r(Z zoev3>h1V{cR-xIT-@0J|hzb#_CR*-%)25t#$_P;P*06j{O)h!6}YlHKv>ZqQE*RLK}+qYHe8E>YF|{2 zp;sGuYy($XeeeceJ1T^ExgbpJaNyqH%aK}C_r~jxll)UMg@3V_ChMTUEGs6`qcbiPbw-CMG~|&Ag?$9p z0Q%G6^JK}==1MX6m*p{-;urT0m@ZeaNKd|bz&Kei{5J-iC}(~6_bGFUuVOtXgqM~{ zw;QORq1w{ECT=hXedEtBE2S$I8NaRItw#j5a2W~39r>?2t)b#IF;OyTa{NfAs#om8 zWA#JFi)wYkSm~8hP{kym)<73k7@#lQT1t5IhM8G!Os7nS+X`d6*^%-rBxAe~F9_~tuXhZAm5}D)HyzLTWW#&-kmYky|qD1yb}?xeZd zUz{_v3z5g~vCxqp+`wA5M`sHK&)|Ey6MPOd?M62vGAGYyFiVpc;9NLHVk%~`h|+zaOZ zwUg%V?)okSQS23GPCP!63~sh1DMsK#-^kR0WMXrsyQYMgY=P4S#=kRhuF28PSd`P<$Kg3i_ci8Py?QGMfrLSXq`JCA|I*hPtb05MjH7@8_ zaPOunU#QkLmGq>kUUjp8N;s?*OH)m6n9nkMcJ$BAp%43h5%VEm3wjY{s zTDEeoW2)L~Yv&1Ez4Fk~FRlUNv`}uUk$iz4b|OdB-}bVD`p-AMW!Vgw znph*J%2>{QkjcsIvnxWp*3FCm#a(ky?N~NWzEc16i$3zMBV{5<10U1?)!?ss|9ria z4U65$QT6>W{ozfNXA342{bP-gL-DbfrLeT8cJ8gD>-xB*i z4^IXVmde5YB?g!LzC_2|ohY#?jR6t7qR!@0jk?mN?PG6vFryYHj$lG0fWeGgWpgB+ zQs|JYVFw6Hca8(wz?oTGsV@QU{jyAX(yj4)Z-4`H$y#k{H~wLH2@IfWk2bbGWQ=@P z$x>Gb93%LgO?@HB&6b_Rv3MhaV1r#qtu09&(_z4Nk}q^U@Pro)Ff>p8&+FTNVJr1F zKK+keu~Z$32Am~2yG>8{Z>%|1pA)}k>s^_ST5X19);t#mCN*wn?0RW*e>917P$R|Br-!>QsF4_-MlkF*X$TD(yK`EU8Nf>_(0Q9 zT*S@ct@yq~T#V3{JpN2RcjDqm3CFu*rS8as1FX?-W&ii&J&;_2f;h(Y5u}DLzJWbI z3(}0&6ax}GsEK~6BLW-<(tB4>7~l&rUKti)Y(d ze!gs92E^{dIseI%pXC%~ycn8}_REa1fKPddsma3WZ^kukPv35BMw=MP-0Pz{R1 z78>LlYMU4F-7-II2(F{#dPiojyN3i9$#q?S7`-C{SnR&uw5POF^P?YEd*KQ3sDl(E zCMe@%LZK+Oum`el-1&y-6D&UZ-krf4W2l==8HFW%)Ioy6tjq{1R|QHgyK)jK)lWa8 zOY;ux$L!ZvutKR*Pr;i;PNaD7WCE6IEQ!d0`el8sp>yZ&)4I&Bq>@|J{*s-#FH&w{ zZ)S%&p(iVD9p`e~r1BR3b<=M4$g4twvt}#0iIivRi#yih-sr`X3`4kXGd!=3>!s|6 zVz4phNp*WVp09RxiY_Yy-(=K$HS#Z+!Z6%{CTB#Y%~ND&vHD{3n0OamUxKwUF)>l% z(R7^IYIIsF?k;=5jX7tXLAJ0jGF`Ra=a|_=cNB-1XV*;lFcgsLdOV9jhVG;L)dGc8 zk;rC~;uL}c{^fJi8?sPz4oTw;s7gTVCH}~9!Z%}q6L3HVRLnQs2n;7R`zW=;UvN#w z1y$g*T-b}`8<(})s2dld!sA5aI#YO}N*Ig1!nCtV`Q;STC=+Q!%Hi3)T?07+ZVz)j zU9sct8~&px| zIk%|Uo{@10Ye2&I=AV7dqeM41C1}m3Xxu_&S>2rz(cfjBsc+kz0r-~Jeo}Po9{mPq z`#mC^GNBT4P{sANLWX&gr8F`&H!7#sUBrG-y=d}>q35_Zv4d4{kam5Dmg_!zQz$D~ zp?xa1cRR>3_h}BXwCo>fJ%~~qBoT0SAEex-q4V*-pUwhxTTw)1YRWr!_ z2xgJ80FVaOxVX20T1Bo!DkuN{qgW@aq2Qib(qv6#NkZXOuZ@_sud~y_B|CqvCSxHp zZpm{5>CF4dK45=F>$!osX8N{ID&Pyp8~#sawTh>LB-MLfHp{A&GX(6cX_m>s(E|iU zSsIl?{B}bfAh3#Ox@XtjSf?iF3*+vicKmcL9YF|EjXq(wrSn-TCJ*D2-2i{nYJh7F zTx1gySlfPJ}k6(Z-C zg~~Y-^E>ly6Vo}&iG7{y-Xqy1b5|91-fW;-W%?<;S9BP_WhwmJQYtT`Am#vCfulA2 z2(T+N;Eu+0jQwC%FS=%_2i5AL;=IIvcfIjE+HnUw>D-;c->4=C;Lzv&N8Uq&{5@0L z$IJtBzJWO+tv4p={G5_Zw*qugpA@ZLezUeEMm7Go5X z3I6wVHI%Lg6ZqXH$5X{~?5422rEA?P_Afv8O?ZH9kdzMc%cWGc%BADKa@RKew-f2a z6V`}imVb(3md^LMF9#L}BK*ZAq;7gsbVjTGCAwB61%0=5igwMCgVP(6Bg%N0Sx$w} zEvLDtd~g717qwa!QG;7bdBABp$I@A|DC~XZx;&UkupG!0DjS(KI7!uep~R{CC8_my zqaBaZen0Y{YbtbdxpC4g14kY83ctPn$evfr1)WB9@@mZfjas#S5j!RHN^hPa7B*7} zDGvyo@9$=rAru|o#SioOHJg*tozX{7v#bM}KdFoXokdaiQ4w|8zU0m$@l&15teFcz z+EWN=?r$OR+|{77|!Uo7iWzMC1{qT>&X=hUT^xq%HwYH z$zahn`JoDaSv#X$32Wba>f_wp9X-Ax8K|~>TAOBH^ek;=u0>98wCO$;k`$ednbeef z^BDDZ98v3IJs(CV0M4S~R?;G=r}OHqMy7ds%9cxPTDOX4FFHS{BY|^lOKQvHmgHDA zduzSYwsAz6y0diNEtkb5g=F*_ z0}gg`_Y;Xno2B=be(t@jeO|z_g+JDu&yo$Q5Ljm<`Ns*)(tu;q9MPm5s^g;B$oQgEheU76IPyawR5J- z?G=Us(9od=L2@a+w!J;yjOz`MFgJl(?Q-kL^GC$~ab=sV<`zr$h{;k0;#f8^7__0P z10THQrT8O!l2_u!5`nO3PyAA4K5-4AYNGnskJq@bk?A8l)vSs@+8rC@J7B5cvF~_M zKFPjg@ER^cRjVt+%NOeEd|leQ{6wyhYmh^~I=ybpVf;#8>{z2ivL}(7Nf_s5e8?j& zXn>nPQ(SxRV+c1!bikZHk#8G!aIjxje5|SF^ z5QYq$lIpWegd6$eIFXrn8?rSDemxX~6K+Sk-%)Gp}Ev|w16tk<%pISH7u zc1qQXJ_anbT^x7_G+TV2NfZ7q-l9m$Ncpy0o%})u1#@1Wm5;zLa~j#~c_VK|TEk;8_B;_ujgFDqZ$q zYo00qZq)!p_9EB}Au7ltwv8g=t;TGncpk0(-hli&5wx^`kTTT#MjAiOzhsR^9D>K! zH?R!5UaT3;2gT^!>b3beS;ukxC8qI7+O&nX+f2&#kd()vm^yx*N+3(7k!X1KOi8Fc|XfVo>=(Hh?{;wnQUS zefwl1Y@9?ir+ngO)zYW&rRji~JA{E!j>zaY=4 zEQo%0c=cR6s`~yVzdS6&tpA88_ty$M_K`C4$JHOM z7Y`HDgcH&RvqN&+r9ZBH4Cq}@K-owKC!DH11rtw1=5t+ckLP!M-6+g)qj8R6a?Oh- zg&!ORs-6|ZR?v>>;*M|}K2|M!mm`b3p0kO*o`q;fe)93YQMFDMAO$>KKo3`dB?v{vkA_L zJgNWf*`2wFy&?mSeGLLHOR7sWjy@SU9K|U7CaH=x?6|^g5Ktz=p7h;NSIJCG-0v;% z4s(?}B`SFNh274Gb1{pLy>ScAyIn^l+b5B}d2IRmPZq)RkR#8sx$W@{ONqs0A&aBm z;E5WKK5B}Y!ubZCt^+!>Sx@*oP|!8a`4yj_5`>bQs?Y5dO82{ujb=|j2H`I~QP&@O zwjhoQ>Zs#kg;X#8&G+>9L@me%&YKdsx(m5_;fYS?cVS{Iy^g)FW2)_@_%zEcpg!Csy>(tAXMjTTg+( zzvg7PUqu87LJ4^#b_rgS|GA3u9k9*4>ghv4(`T$sZg=fsQ`awX=N{5TkXysiw<i(UZ7Dk2O~QrfO;kbE#;+P-gVYJ88}otl*^rgIpzmQv00Co5c`tQ(W43*KW!4*= zrMoiB`*)|Xf=xO$DB=H^kM Date: Sun, 31 Oct 2021 14:11:37 +0500 Subject: [PATCH 05/62] Add files via upload --- .../images/uc_workspace_overview_blade.png | Bin 0 -> 16055 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/deployment/update/images/uc_workspace_overview_blade.png diff --git a/windows/deployment/update/images/uc_workspace_overview_blade.png b/windows/deployment/update/images/uc_workspace_overview_blade.png new file mode 100644 index 0000000000000000000000000000000000000000..18dce5e83156b5e8904ff9e72a54f69b39f943f2 GIT binary patch literal 16055 zcmeIZXH-;Om+wnX1x3z+H?Qrf6X2HNJou~goy+T3yVxc zU0ELs3)>M33rCR%2l!@XpdJJK!uHZvdw^9j1o;Vkz#*vbNMfE&A(2tVxm(noT{_HBr6V@;?jxyz z$P(|*VzLYCr#a`peWvBszt!ZP?=>A98}#>lnzr!&9XM2Te4KOs%|FxaS%NT%3KT7j zV){=v8R8Mklc5RHlfo3}9-Y&?>T8_6RJ>IXxA$ z;R<9N^S$g|$1J`j?t3Z@6@Eu3P{8-bzQDQyRq1BkDHsRK76HR48QeLnJQ%}?hw}R| z3BSH_%f6kBoJO&1`;J?%bw`u(uWL*Fdd(JUe%ohPwJ1Y~YyZiHL&nz)8gR4M*OMrZ zf}Zbf#|6)N(%m_uk5hjw$llFFvv*W@Th*5c7;%zm-DS(@L-~CX8u8H!8FVbm3TsN> zA!45H-FZH~KJl@hcl6p9moDOGNk52_)(lavY2SVxGb{!?E3 zMP9Jh(3lc5UdqxXZezt=+IPbk1#w1=<_M|P zAl!hSqWcawbCF8!rU9ZfE17yN!ZC2_=^&2Nq4vHCqlco2HFNzUz10jV22B2#4~9$v z^@X7w*bJC8KL7UQ_+OTfXS=1VuC#S2SK6TBizQ<_Q}%a1_=9ra_Jd*z{jS?8_#Uck zaP)Fn*)3kGF?r2&FPXuSa9@miqxQ~rk7PJ^Ldy?-)Yp^5y#zQ~I`P08wUl~Tzb8B<8ljeRgh;!95$kLTz7V(jYsOl6aOBEgntq-?q z-|LT^YWgr`%J!-u1no&iiT=s0xA^)stX4p2)9%qUj-@zKNJl=J;G!AAE9^XnduS_4%7SWK2v;HoN293jyN*e;XY*pZfApjC&!0v;3zt{bcPs zBej_NdscId8xJYp>hI!3cQw;uX6#G?;#{ni1V~g;Icy_EW-`nyDBWY0cFQ_UDuo5a zO?dM)6Zx!_3qf0~Gd?QCF%9{}4srY2hg*^oDMC!HT=@o2^>1F~k{QIsno5qV%)}IS zf)2iwnjHu`jb5P}qwk3> zQc>1i9Uaw(op%MB*uMgzhVSnZ_iBYib}|?w{C_ut>QIYUKkrDug;9h~-4cH9b+TCl34Bd}YvK>3WWT z;y*gsVuaA7-5u7vGe_y}T2tQqoVl}UgJo72AzIGK5OEfehCUg>xE<)AUV`l+J(P2~ zU6AzM>rdbTChz6qv*D(#x0NVifeOE2|4E-sx6d3@Z-mpFa8jl$w7N9;j}+{g}IVdMaXgg>vO$YLbl(YH%UgnGsfydh1>PrJ_;+YFm2g;0oM`| zJ0B>z_;xWt*-wVtJI`NX5o+h$Q8gJ2TCILZzQ{2qhVJTY`@s+z&XwhJD@yCH^AGve zIeO@8u3|#E^e-mPmQ>=7FE4!F`@|YchP>9B3hU_AuWqBFcI#rJN2kHdN#N%Mym!F=@17W`zjkgLAfW>rDC(0LjaMfFR}4wZ4?!cG|Cejl z6rkW+GJfs&^kNCZ?*8-hb#C)%VQ9oXTX4j3IP1mj)O@EbS^w+HV-B448e0Z2wCkN3 z0f_(ccBHg2MuA!p>PPi1jKQ`JVN4Hxs7eEliHzVtCkUIOwLsCg1R5ebbs=c2NF-gN z8+ITKll*eXaGtOOAJPd!5wH}Zk0rr&=Sr>{;Uvu3VGT#}{O9M#!Q|!ydRt+d!D$_> zk9S+K90qC;N!;MO_{tG2*Z4xVsG$HNwSf8%qmzYYA%}*62G~v`mF)A76Y|p&!Oa9D ziPwIYVl|c?^rFjpzz{)>2~pT!J>R=AGy(V-A^;Em@KO6A_TtVteQ>VL-_~shw5)+! z-SFmq|Bp1Hn;jm&B&W8T4_Qhb%dgl1W}GlHjV}bR^DKfXK^Nqw45B^`m$BgrJO{d- z3j7z(4$)faQWW4`Wf~&cz!TOzVFwey_r+88VkH`|ya$6QEpYC)DOTSzTtx@Kkg{{Kdb)Dl=H>@&Pwgl7q_8AFdr%C4tPUm1lk+fNN|kwgbs+A6iJZC~&H zR?UtU=bn>^8g9%{5ok*g*?i_3iEBz`DU*q2*b)s=v8NuUbY-XBsK#-cNgZKX>(t|_ z2WGB*beHM6g>G<9MyOZ%p=v~t->u|ME(Q1Hgv;8+L4tAd9|)-bG`s&cGl!Nf4o23A zY5!%xz!}mUgZ0h%8%pLHR)znCvU(nE%+UbG%7DbEyLPnmU5thZe>>CW$Rgy&>ZY`o zdz8^YL@mUr-G!fIAdx=$m08rn;e5*}#pQ=2v>3A!BjQKaB=zvYqUc{HVR^zC!Sp$k8<=Vr1XM1)6>qc;*_)>Ter&uy-)4R~`C>v$C2 zRPjJ5z!sSCSn?lt@x336M85RleMHfmK@=p_jiPc_&uDhJ@zeLt+NCP;P_(fl^fE$Q zqh7muct)8%VP|lk_W9KnOFcp* z6U|_&MSOtGi(MXK1CPMH4kx5-rzUFg7e*tfHgFBYN=AvIh0%tiL_O|5&i}YcWR@@7 zrElx7u9=NuTE#Jfx=PGHDlo$WMGrbKJEww#457(hgG%=eVEwL24htVNPimT3V_(3v zVGFH6ii&8~^X|_WnVJh4YKqwAm=DFbqZi*Q8P;SK4d`WLP#cwuNQ27F^cgjxoSPIF zUmM^>VPbSWT4x(vFOCvtlrab^_4LD3Cb|BoGD6 z6Pnbjsa^Aa>n5HMm&RK=#BPw$(5Eh@{3v(&!)+0Ri1sOxx?<)9CMyi0>rotd=xvMD z(q>`Hm<@ZkJ=5fzD@%vcq&TQtCT`EaZ2fud6ZM)@&0m&-sl3hIi(GKyvhNsH)DjZ&O{qL?D3~YSm8TJEw!(s zBPxW%eHz?q_)gX7DE3-UBDj=!&4_;XM4>g&Qi$!(aKpGLzqmGrt}VZG%+08r@G)Fl ze5SrV^G6X*a6ZRO%Fgo#5{t3n=H<){5UTJ!3{3PLWB3PR!g=Au{BALyuRRLSm&D_% z=sgZQFp+s6Ing&fKYUD<6m-mQ6&f~Wfs~AzT<8#JJ9P9Ib; zyMkS8t+cqAd3=llNl=$V2i=t$soyiYH)H{B@1u3f#;5bLt1g4rP**7GIBmoYP8s*z zc}sa#I|EW{HY0%lp;=-mg?hQx*aE{vbYNQ+?4*@~{Bd@3j^%DfE3t-VeA5u)YFoT} zFCn2>Ou3KU8FevrFEgrFOelvUJHbyW--*N|OO{Myu*BHLm}!h=;zNaI_#wa66MF(IUh7aJU1#UzRmqBb9J%{ByI zdbXn2%bWQ>Sn(sGMpDhd5kD{5jB?XTy4jt8Slnma2SJM1t8cfue>HrUb?2>3a#0^q zAVT$PEm>+TS3q-MahRJb=^s!r1-ShM{U6zYrjDIk`w85TFj>OZZ!ZU|1tp_1Le6;{ z(4x6qDx5=My^d`RswVNhHZ2Ve7mhLg(==vMTw{0ImS}{*N)b9t9YrK!l>E=E-v~uV zp#qGr12s`3tNaKS+L_F>38r_}Y4r~nGP0PyHguL`E!E9d@6O-1`2ce*vBn0~XfAED zI#QEX&!TKnK~|WmSy!b5Pi%gOM5fyZJ%P5rV#R)QZmU(ztgGzN7(x}A$0XR4Eb1ze zd2hDZ;Jr?cjK*(<%NLKqEYhhWe|@{Rw^-S za@ELtedK<9wDLw5MVdM2pn3GoYnVmK6K|p5?^sa-n{lmkHcf|Z1^%*%1ODD`=b}#x z_OrRZKHqb1TPzgF9ITs>_yU7m&ILoyk#1G%Eqka5`<4CRt%1)*(siFXv`8<9izUDsHzy=@ z;Zj~sVZIezZ7AYvO~aMoRQ$j>jaZ0g^rLNMg(ls)+r3DlCG*J;r z?bC!B%LQbZx+ZQToRH&JB;)|aF(?{N7$Lqalg4w8snPGDwU$z{b_EH3zr*x|iA21z z{9{}Cy~lB-3AC?DJXFEJDs)teEVuxy4P7|fm4>&TeXA_0Hs`{GBo*N2QZlehn~Ww; z(LTkeo8Gk*WlFLX!JExYeC6t^oxK*Pq%V$QW2J%ls?Qxf7Z0(ugyJIuVU*0Fb1BXrk{Ye4&AbUurGPtO)t=N zl5i5V^Et@B=a0pHH2GETdxOLTV3o`=HSUqi_vxnBwPNnIzQlCHEDq-+ufDfl$P~?5 z(SbAF?1HaWDokugCP|xf7u)%nvo^{t+(Q`urPcZf=@q| zNB<~+_jeU=FAH8A7F=s3_?^Ud3J)!w?l8ajG-nMsIz+4%Cwek_eWnm6Soqi}IErDa^^x_;3$2d^bEP@^k242Uy&gn20%V+1Dijlm|lA>*BEWaI#S_fEE%T zr(0J&9lHjDckxwDmW{e-rGiOKPNOszh<=}puvVUVJ(^98TxMPl9wX2>^O_V`X6@d0 z*Ec0=KARs8T4sF**1F}$Y*95;=ZT%^f&1Punbd5k)Z$$AD&tEK_SV#JpcE>bJnB8^ zrGwh^_*7~nZVC3iwl(IH_e*{p=fM(nho(|PP}tF+=}K}RH9vH2?OssBQTF@X)`Q=F z(36*Ik@TBShhDVom!#J1NGOY28Bl}e?kjJ;OiX4g51y_-R$=I#L7?Yr_dL~CiRmD2 z`*iX?=ehDPk22)XR@^U-z-G&QmVsZ@+^@~f%DgdddCqO9i>~%Rk4##1+qb*U)s_vS zGJftVBV(4|&P#*Us7ngfXrVMbcSJ+KYH4=%<7IgI5pUTm$16YWi`8aiH85Vn`KrD0_I{^l!wqMTetaX&O8oa5}VI&AFq( z3Z4#eAWiFZt8sc#2jvf`rSH zQl=^=Igdq%O>}!7u9ThN*vJ+Y7~ct@f>wX(xd~$+U>|zhYgE{uR8*yNgcdWtHZpN3 zRD;?CZEo$^qRPZ;NKw^viC=2SFL&K;97Vx)KwLVu(s5$0;^^fT*YCl7EA0+A5Mn$s z4@l0GZIsnRf#`7xe$h{bV?7;Ej(|hJs0$0!MSv7=)X8Ni=YlPLigqiwCf_|%yz$!q zI^d8sz^eY{>M^P%d4R^wj#=yY$CtjwcAhShb@IF>HxLOlk--uRB7XelROCQ}P%g_T zS&l0*=_vz;M@*RyKae;fELBYeEvMxD5BmFHhT1`pd@G14Sfj-a+tv5xHX1DZN67d) zaQshh%c&CIaO(=(yZ3vcHF!8jHi^kr3%d)O%H!f>w?HjPqQm3YL@}=INVWSy3oE0o z7S=~Bj}T>kK|$90zGak&wMau4bfh(2!ATa~NtB6;be&MB+jGd+&vGJB`?gw( zvITm`oF0GkXANlj=tATHoiW59{9cYSuo^jsF%F&%Ohha1dcM}CPyLO;OHMQpY3mR`LNNaI1q-CYE3jM zZPcfZal%GF5sf!EDBETEY_H{|D=|o}iyF{@^I6Ebe+Mzu@xLhd75zE4 z^p)GOqt6S+i169#8s#sP9?%eAdW)adytn_H823aV$wd?OHvMkybWTO8`DlZ~M8<5l zGvtA7S5~gpzG!0o`6rJrF4o#TBypQClwG#Q^NsrN#QyzW4;V0|sF*6vjE>3+qL0L^ z=rE5v9+6nY&SSbteXB(z<+r21a)OiOELO?0ge^cBoaT*Ei$LIG_Cvh`pfrpXCyoO?0PUI+|DgdJom|(a(y4CJAe&Pc_J#)_O*kyYOj}WmRuh zpdkzy%U=gidnY0|e(M;G3#-mE(G6?B_eXvS!1g{$T5=DY$hhLAPMz zMW6il!=ETwZX+n1(PL*(@cHRPZu3P){L7Qf4Ft2?g$IG*s=%J1)6WF1)9aD#jn=N?0lVnWa{WAG z-#61Fp0{3MWmGntP|4{$5QGg;&K~}}kAT^{L>6pcmbN-XJlH>5_yQkv`EiU*`d)02 z_KNnYc~8Z&pdbp{cl@q8@kK>NneHv8k@OahbGTJ722rX+%^wHgtbhRBP*L)mouO_v zHPN8p-M5uNWRzLK61yiMYncmI0utDT5h^Exf(} zPVn2#lQ)lY{L48`3|2s1J+K-jf4?QaPx)*=@%xMX)5bq78QQnMwBu@0n_!dkJR(F( zJ(6-A%ax8MXZ`WTi@Vl#y24!BQGA>x@q`-z|MqJBH*WABW+#T3eaVasmJ`sTI&)4_ zwU*0|uQMN+#k=SANeDS{wF7k9Ek&mVLw-6fA#+(*C;~rs{4qE%wZK{UqwxH|wSyac znU~(mts300$fMLci;eG;Uy4M*HfF}#Ef}wKWfl{UHA$%)uCdhD+uu#IJ^tGSIL_n;oh zTYky89s?bgWu$s!LP{N@`zMdW8o#xMPH7?VU(p$Vx+-s-(a!cLc;1hf+JOxdkUNVt z&BKq`ubdcrR1- z+7okKikZ7wwp{GaHZ)!_BF4!3`~d&$6~-<;Do-V)uof8~+YwRh((-Aawnt6k;7L_p zJxCumJDA+E3~w0QpUa@f(Fa2+xX)nqGWfd>l_0d<)v%F5T|{mG)TC}Zwhw)rxZmOD zbTA3$V|**LX?#LQ&pGBO7YA@ zRhMtV<@E5r?l{4F+e;g)%3T!Rd}UwtrnRnAQ1)3NCmxGE&MlKllO!43YYsQ?F;(Rl zRGugyK(xTD2zShFtkCfx@2UAez> z&)$UBS8;FJTAMD(#l0VbPFHX=M;`jiB;m~LkpkmnuG{9K0!4*9Xi$=VF-3CP{%(uR8l zybh&^x8!PrX5n6Z#75LvUL_$&OJJ|5Spk1Xc|?o=cp6~=AI*0fV|m%CVEkA>B-9fB zAJ>#dEU$chqp7KRe*9;l=Gib%SYU92lo0u#i;dBO1XvazXSXqUZ_R)HqlRXn4&hgT z+@|dB@4r!`B9;$+jzYk0x zt8d9~Q>Lt@%isJO<%dKKq`_e49f-C{pH&BY9U7W7@83bE(&p4!cqWlb1vBuc?V(N; z>RNn)%1RAsgsF`Cw#9hkQ47)somc^{VxzZn5n{ zKPrW3W#Ys!FOt^1P4DUlCbYcom&{}`sm;{sd#y!cI}4JYp5i`(Pls`7Og|s;a@g+F zBe4Hg{OvMs1f%fWQDvnQ@%1}vV7{2iX3B_19EzO>Y>-0po=tA&K_AKLp2_r+G?Vr6 zcqt*Vo;R8M*+^<|-X+<1Xl$khc*&!upx7%+yYhP_MtZ-{Ctq1Q*W(ksD*|PESh7;% zvKZN=W%Q*9q3a?Yr;q#0wb@4x+9!_KPje#aY3f|=QgR%485wEoc|(2O9l}y{iTF1Q z_eJ2(?RbmN)b5*n0&^bU4<#W|ueRkyBYq?WEzxz2`hU&*v3uDp?j)2&JhSx8ZZ06y=*lMY90_YKdvjlyd>san|fX0@- z;OerH%U%#Qu2FtKAN`)MY(AR903wi(16~9coqXZRPXk?1qV=5=4%mSUKT!Yhv8{D2 zkk#)xfz>)dC)7egyrdRD9<6;mY|Vw|LcNyPp$dy%m%MUY<8wXQbaLe`Z=hG^^@dmS zY0(ovaYAQN1Ehx&P9C($b^^V@Wn6i&z~jl*;FS$wKqCtuW&tU@y`eKkPRJeBvl(qa z($MgA@D;^z$F!N}bo#c#9~qGw?Fz624mci-Knu;B%`@JdL@+yuQ0i&x@#TWwVmn{u zOV$g4cSsO{^9>xWy)Uo2ln=@$jwDwjXO$X@coNbA0GZcuwq-eN;=h{Ii0B zNELyM+RpUAA;{|No?z&Es;^nRbsIzl)!>qhDL)m}#*E~k!UIJwa{b%p z#|4Ge5!%9Vfa?lp`1dDnp}*1|t86AMmaJXB1U@?}quFZNkFUJW?$?JPdwV{x++Rq$I&o`Z_`qcKq~&qw!r>}qW|Y%_ zva&YZ2CT=$=k>W8BBSm2~#pw=Yh_WERNdgn8NGv}j9 zMf2U4+KM_RPd0KX!Sr;2M@zIp#*c1~Nk7q?41APw5_Bk7_ROM2C#sa-=1KT6#I&6* z_L&iLijFeUgQHK8e#vi@4iAQ?gzziPXB_;$!B9vJ2`QD&r!_U!L^SV=fzTQ3gbn~9 z1~4J*-z3zUHC-0XJBcOA27waHkbRRCdd?LFW!EnF{Q)Faa3&PmX)ogrLlgukrw$PD zM2qS_pB1a~$sXm7yUhrcS4sIjrZ4j$a}<%vw=%|V&tYr~kn)QZv{igpyU}yo9h|Xx zj{pAG6S!)Ik3lJu)mcaA_coS1H=1MWu2Lukeb3Di?Wwc)jCG%l%f79Sf=&5dz* zS9Lw!+Fhw5)g`7>$j@R5j#apM3#7@}PvhDsgt6LH?0lgT^SPt!jd`Q*ar9E%j1*(Fv0p(@}Z;tS8>GaT{fLB>FgO60Kz8z#FCowtjQ>gS3L8p^^cy_Xfw%*++zN;?nMTpRp9mI{UyL zqCYgoRM=Up*rZa1TZ^bIiHYFIzVJk|fi&GA{x5%fL^=u79NvIW0nD`U9=@$ZX|4oB z(l|JqVO=3RR4;Z?ML9zqcKb8*QcQ5kK0>D{&2g1vnSx)dSuE$57^sXCEnThzWqCDe zNM9*T6hUDEJ9qNpDAfmlG!>*3KiF@ujS`FClelTmJ{ zu7gMpq_0MtOJ&tpS^B`XdqnZf@s!901Vr-A=#K;y_PLR-wQ!o~Vwz)FZRF}FQp!Z5 zxG17w?gV!DVZL?~1IrUrMaljVPu(t0hBVcD{7A%VHgDCIiD0%U2D3jzBe!KRT~LZF=6p$ic7 z2=CR~9%pNxZ_QQ)9J-`Zo#@JZq4Bq+9%k`7^V`6v&4?!{h}XF<1pWRr4W0&e{De7f z<5iuob^oo%0jgAJ0juGDEN&mpb;fbv;-zFz#I6)RAgp~DyXiehjmIC@*nV4{Kl=ZG z;O?K>e}Q1X<*{l<)Wz9RhR?`+hNuiw*xW$3ZAV}IO;PL1Y;6LIX*&gxN36q?7vf%* zIEbKr&BbCo582F}*l@XAv$e~o>bt4$7Pdmd#6~Bz44?~G9FXaoZc-lLD1{9@W@PAruEQqU@%H#}8f%Hfgo>e)ugUVYNDTbid1L<>&` zSBof%w~-R7O}Exm>CM|ONi#99O^ga!P~f`xrpS8X84%y!r$R?Qy9aeA4c&DUD+_|cqnTpNaN<>jpxiD5E^bH0we zWcFVacOP;;(ZsbC46NYQQ4>=k=Ig?PX5Agq_hGwpS%k;_v6evWrBX!0iZ`IFJ!$`# z7lRvZ23>ZrEe3=n>Wlj>|bZSkn&77~H_mKafo)BMysB$ntfo23_3PKbnpC*o}f zK*?&T=|fY_ZCZ-YpoS{Ui1H)KBk+PRq@!XZ{3>*nrbzHZxH&K{aC2V$CsCg&2p#Dp zG<12+I92|BEg&Y&}8> z4ioJ*rwx}el(8c1=z&dj@!7@8ZLr>b-;-p;U*_}4PesVW>6#zbcStb=ymN4nPF0>_ zp8Sr;X=iX8L8%kGhtC0C}4* z6<@_z3Y@xdriv&QVRc0`fxP z$$!;o8AA^mnX3-GuGp+5LU;erk2&Szs-Jd7PwR-OOuf`~##DN??c|711>=XOJeiWJ zM3RitfJ;=z8U8ex{Jwkqt<4-U7WLqz;fxE=wKg2o(LKr46lm)3**%J~5hqg*5_V zMTP##@3i2uns%<~80F$(QlE$jx1$@yt>fLNj72&L1G;ZK<6ENEn3Tjv19ne0`})IR z^#l^3RJDaUE}_Eg6i&@z6!f~>M_fSpVu8^k%6Ik$-^QlSDV}x+h|;3CATz?NLrTe} zW|=&v$|<)9nKchFg@I|#Xw0`fNA&IJ9&-VkjD{84+p68&oQ9B72<@9sdxpuB(v(G` z>z}NM0`Lu3D0`?>mtLtOd6J7i_9}A0(<$^QzS@hcE;TiguRa7`0VwANyK+2ltVgcc z5(O}E$bti*Yh#ezIe>`VzShjYESXZ--8FTi!AT1DD5P8o-kwsKl6#~1&<%-{7|GLMUY#{AQ|9FsyB6(VZ|V0wY%Kr zCSOjVAdNp9x}UJ?X|4ghskG8G} ZUF6sb^2TvFfS1j&G*onyD;`*d{Wl8Cisk?S literal 0 HcmV?d00001 From cf1afe2a2abde259c59b1b7df5a3e8324bd2109c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 16 Nov 2021 21:31:15 +0530 Subject: [PATCH 06/62] added windows 11 after reading this article, i found windows 11 is missing so i added windows 11 I need assistance from @JohanFreelancer9. --- .../identity-protection/access-control/local-accounts.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md index 6ad17afded..c285a90fc9 100644 --- a/windows/security/identity-protection/access-control/local-accounts.md +++ b/windows/security/identity-protection/access-control/local-accounts.md @@ -19,6 +19,7 @@ ms.reviewer: # Local Accounts **Applies to** +- Windows 11 - Windows 10 - Windows Server 2019 - Windows Server 2016 @@ -73,7 +74,7 @@ The Administrator account has full control of the files, directories, services, The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. -In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. +From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. **Account group membership** @@ -558,4 +559,4 @@ The following resources provide additional information about technologies that a - [Security Identifiers](security-identifiers.md) -- [Access Control Overview](access-control.md) \ No newline at end of file +- [Access Control Overview](access-control.md) From 1b4e38f020f548601e4db8961994ef0c52080f21 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 15:27:47 +0530 Subject: [PATCH 07/62] Update policy-csp-settings.md --- .../mdm/policy-csp-settings.md | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 69c7b52c83..c595c0b078 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -29,6 +29,9 @@ manager: dansimp
Settings/AllowDateTime
+
+ Settings/AllowEditDeviceName +
Settings/AllowLanguage
@@ -266,6 +269,68 @@ The following list shows the supported values:
+ +**Settings/AllowEditDeviceName** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy disables edit device name option on Settings. + + + + +Describes what value are supported in by this policy and meaning of each value, default value. + + + + +
+ **Settings/AllowLanguage** From 61fa2b89662ef007259e506b1830a5442694d41d Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 19:37:26 +0530 Subject: [PATCH 08/62] Notification update --- .../mdm/policy-csp-notifications.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 643ef3e681..7ba7ed964f 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -31,6 +31,9 @@ manager: dansimp
Notifications/DisallowTileNotification
+
+ Notifications/WnsEndpoint +
@@ -280,5 +283,77 @@ Validation:
+ +**Notifications/WnsEndpoint** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications. + +If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. + +Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings. + + + +ADMX Info: +- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint* +- GP name: *WnsEndpoint* +- GP path: *Start Menu and Taskbar/Notifications* +- GP ADMX file name: *WPN.admx* + + + +If the policy is not specified, we will default our connection to client.wns.windows.com. + + + +
+ \ No newline at end of file From f8f49eb21fb57214ae41e6fad3c026c7e781c7e2 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 29 Nov 2021 10:44:49 +0500 Subject: [PATCH 09/62] Update deploy-whats-new.md --- windows/deployment/deploy-whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index b092bc6e3c..cb6320f60a 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -221,4 +221,4 @@ For more information, see the following guides: [Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
From 05da0a4d72ea29d814cd086a1bc52f1b090cc245 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 30 Nov 2021 17:22:03 +0530 Subject: [PATCH 10/62] Update policy-csp-update.md --- .../mdm/policy-csp-update.md | 101 ++++++++++++++++-- 1 file changed, 90 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index c38caf5830..edc685637d 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -72,6 +72,9 @@ manager: dansimp
Update/ConfigureDeadlineGracePeriod
+
+ Update/ConfigureDeadlineGracePeriodForFeatureUpdates +
Update/ConfigureDeadlineNoAutoReboot
@@ -1333,8 +1336,7 @@ The following list shows the supported values: - -Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule. ADMX Info: @@ -1346,7 +1348,7 @@ ADMX Info: -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. +Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. Default value is 7. @@ -1410,8 +1412,7 @@ Default value is 7. - -Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule. +Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users will not be able to reschedule. ADMX Info: @@ -1423,7 +1424,7 @@ ADMX Info: -Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update. +Supports a numeric value from 0-30 (2-30 in Windows 10, versions 1803 and 1709), which indicates the number of days a device will wait until performing an aggressive installation of a required feature update. Note that when set to 0, the update will download and install immediately upon offering, but might not finish within the day due to device availability and network connectivity. Default value is 7. @@ -1487,8 +1488,7 @@ Default value is 7. - -Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) is configured but this policy is not, then the default value of 2 will be used. @@ -1501,7 +1501,7 @@ ADMX Info: -Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached. +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. Default value is 2. @@ -1515,6 +1515,84 @@ Default value is 2.
+ +**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. + + + +ADMX Info: +- GP Friendly name: *Specify deadlines for automatic updates and restarts* +- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. +Default value is 2. + + + + + + + + + + +
+ **Update/ConfigureDeadlineNoAutoReboot** @@ -1565,10 +1643,11 @@ Default value is 2. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. -If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart. +When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. -When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline. + ADMX Info: From e7ff5a99ee5a7f7610ed5f5a81baafc67d46b865 Mon Sep 17 00:00:00 2001 From: dlmsft <91010553+dlmsft@users.noreply.github.com> Date: Wed, 15 Dec 2021 10:43:36 +0200 Subject: [PATCH 11/62] Update policy-csp-defender.md --- windows/client-management/mdm/policy-csp-defender.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 102d605e73..b062db74a9 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -571,6 +571,9 @@ The following list shows the supported values: +> [!IMPORTANT] +> AllowOnAccessProtection is officially being deprecated. +
From 5a4a37565b21d15a515bb2097713be9cc21db82d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Dec 2021 08:55:53 +0500 Subject: [PATCH 12/62] Update security-identifiers.md --- .../access-control/security-identifiers.md | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index d9d4084ca6..6abe9b1c87 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs. | S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list. +The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. | Identifier Authority | Value | SID String Prefix | | - | - | - | @@ -174,6 +174,8 @@ The following table lists the predefined identifier authority constants. The fir | SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | | SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | | SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | +| SECURITY_NT_AUTHORITY | 5 | S-1-5 | +| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 | The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. @@ -256,14 +258,6 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| | S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| | S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | -| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.| -| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.| -| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.| -| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.| -| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.| -| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.| -| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.| -| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.| The following RIDs are relative to each domain. From 40e0815dc6355c38b2bc92a6e021f04034f794d5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 20 Dec 2021 11:26:24 +0500 Subject: [PATCH 13/62] Update special-identities.md --- .../access-control/special-identities.md | 122 +++++++++++++++++- 1 file changed, 121 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index d4abeec003..c1871a8804 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -19,7 +19,7 @@ ms.reviewer: # Special Identities **Applies to** -- Windows Server 2016 +- Windows Server 2016 or later This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. @@ -97,6 +97,18 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights|None| +## Attested Key Property + + +A SID that means the key trust object had the attestation property. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-6 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Authenticated Users @@ -109,6 +121,18 @@ Any user who accesses the system through a sign-in process has the Authenticated |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| +## Authentication Authority Asserted Identity + + +A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Batch @@ -121,6 +145,18 @@ Any user or process that accesses the system as a batch job (or through the batc |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| none| +## Console Logon + + +A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-2-1 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Creator Group @@ -197,6 +233,18 @@ Membership is controlled by the operating system. |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| +## Fresh public key identity + + +A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-3 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Interactive @@ -209,6 +257,30 @@ Any user who is logged on to the local system has the Interactive identity. This |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None| +## IUSR + + +Internet Information Services (IIS) use this account by default whenever anonymous authentication is enabled. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-17 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + +## Key Trust + + +A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Local Service @@ -234,6 +306,18 @@ This is a service account that is used by the operating system. The LocalSystem |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights|None| +## MFA Key Property + + +A SID that means the key trust object had the multifactor authentication (MFA) property. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-5 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Network This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. @@ -279,6 +363,18 @@ This group implicitly includes all users who are logged on to the system through |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None | +## Owner Rights + + +A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-3-4 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Principal Self @@ -291,6 +387,18 @@ This identity is a placeholder in an ACE on a user, group, or computer object in |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| None | +## Proxy + + +Identifies a SECURITY_NT_AUTHORITY Proxy. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-5-8 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Remote Interactive Logon @@ -338,6 +446,18 @@ Any service that accesses the system has the Service identity. This identity gro |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
| +## Service Asserted Identity + + +A SID that means the client's identity is asserted by a service. + +| Attribute | Value | +| :--: | :--: | +| Well-Known SID/RID | S-1-18-2 | +|Object Class| Foreign Security Principal| +|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| +|Default User Rights|None| + ## Terminal Server User From 99a778e4fc48fb805db12d8bfd3f370dac82458f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 21 Dec 2021 10:37:27 +0530 Subject: [PATCH 14/62] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index edc685637d..3cb2aee082 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1488,7 +1488,7 @@ Default value is 7. -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) is configured but this policy is not, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. From 5515a808d5289f184ad27c25718c4da23762cdb7 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 21 Dec 2021 17:32:19 +0530 Subject: [PATCH 15/62] added correct link as per user report #10224 , so i added correct link. --- windows/security/identity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index 7e2e8ca4b9..f94bc0578b 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | -| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| -| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| From c2a8a31b485e450efcc1584a583307cd91997f9f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 21 Dec 2021 17:49:18 +0530 Subject: [PATCH 16/62] corrected word as per user report #10227 , so i corrected, after verifying with windows 11 build no 22000.376 admx templates --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 1181f4bd47..12f70d7328 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -78,7 +78,7 @@ Time zone redirection is possible only when connecting to at least a Microsoft W ADMX Info: - GP Friendly name: *Allow time zone redirection* -- GP name: *TS_GATEWAY_POLICY_ENABLE* +- GP name: *TS_TIME_ZONE* - GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* - GP ADMX file name: *TerminalServer.admx* From a1e180db5fdd57f96bde96c5d38b4d280c2919ac Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:02:30 -0800 Subject: [PATCH 17/62] Update policy-csp-admx-terminalserver.md --- windows/client-management/mdm/policy-csp-admx-terminalserver.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index 12f70d7328..77b8035989 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 09/23/2020 +ms.date: 12/21/2021 ms.reviewer: manager: dansimp --- From f499618245f3d3b5adde46515714636d29400627 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:04:57 -0800 Subject: [PATCH 18/62] Update identity.md --- windows/security/identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity.md b/windows/security/identity.md index f94bc0578b..bf6a97473a 100644 --- a/windows/security/identity.md +++ b/windows/security/identity.md @@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords, | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | -| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-phone). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). | | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| | Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| From 630d5b52dfbb678ec931007fb8e126f614916d7c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:21 -0800 Subject: [PATCH 19/62] Update special-identities.md --- .../identity-protection/access-control/special-identities.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index c1871a8804..242a5fc876 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -2,6 +2,7 @@ title: Special Identities (Windows 10) description: Special Identities ms.prod: m365-security +ms.technology: windows-sec ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security @@ -12,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium -ms.date: 10/12/2021 +ms.date: 12/21/2021 ms.reviewer: --- From 5f95eb58403f04be49522674e6d1026c0a07f6ee Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:41 -0800 Subject: [PATCH 20/62] Update windows/security/identity-protection/access-control/special-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 242a5fc876..3958382eee 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -234,7 +234,7 @@ Membership is controlled by the operating system. |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| -## Fresh public key identity +## Fresh Public Key Identity A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. From e117fe7f5971d92ee74ac04299f403ed5dc9efbe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:07:49 -0800 Subject: [PATCH 21/62] Update windows/security/identity-protection/access-control/special-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/special-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 3958382eee..66754be796 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -261,7 +261,7 @@ Any user who is logged on to the local system has the Interactive identity. This ## IUSR -Internet Information Services (IIS) use this account by default whenever anonymous authentication is enabled. +Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled. | Attribute | Value | | :--: | :--: | From 4716bb90fce7f6f7a84d0a412a38f151cd564c92 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 21 Dec 2021 12:11:01 -0800 Subject: [PATCH 22/62] Update windows/security/identity-protection/access-control/security-identifiers.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/access-control/security-identifiers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index 6abe9b1c87..9a30c84314 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs. | S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. +The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. | Identifier Authority | Value | SID String Prefix | | - | - | - | From 6d7c16916d7574104182fe6860e299c931240943 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 22 Dec 2021 11:25:19 +0530 Subject: [PATCH 23/62] Update policy-csp-update.md --- .../mdm/policy-csp-update.md | 76 ------------------- 1 file changed, 76 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3cb2aee082..c5c1634341 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1438,82 +1438,6 @@ Default value is 7.
- -**Update/ConfigureDeadlineGracePeriod** - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
- - -
- - -[Scope](./policy-configuration-service-provider.md#policy-scope): - -> [!div class = "checklist"] -> * Device - -
- - - -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. - - - -ADMX Info: -- GP Friendly name: *Specify deadlines for automatic updates and restarts* -- GP name: *ConfigureDeadlineGracePeriod* -- GP element: *ConfigureDeadlineGracePeriod* -- GP path: *Administrative Templates\Windows Components\WindowsUpdate* -- GP ADMX file name: *WindowsUpdate.admx* - - - -Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. - -Default value is 2. - - - - - - - - - -
**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** From 5d68c92535cd1dc4936131861beb488aef5e7929 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Wed, 22 Dec 2021 12:52:20 +0530 Subject: [PATCH 24/62] Added metadata ms.custom attributes - Added ms.custom:- intro-overview in the metadata as per task 5668596 (part-1 description) - Added ms.custom:- intro-get-started in the metadata as per task 5668596 (part-2 description) - Added ms.custom:- intro-hub-or-landing in the metadata as per task 5668596 (part-3 description) --- windows/security/index.yml | 1 + windows/security/zero-trust-windows-device-health.md | 1 + windows/whats-new/whats-new-windows-10-version-21H2.md | 1 + windows/whats-new/windows-11-whats-new.md | 1 + 4 files changed, 4 insertions(+) diff --git a/windows/security/index.yml b/windows/security/index.yml index 8828c44e74..9acb0672a7 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -11,6 +11,7 @@ metadata: ms.collection: - m365-security-compliance - highpri + ms.custom: intro-hub-or-landing author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. ms.date: 09/20/2021 diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md index 1462084e1e..8b9b5e1d73 100644 --- a/windows/security/zero-trust-windows-device-health.md +++ b/windows/security/zero-trust-windows-device-health.md @@ -10,6 +10,7 @@ ms.sitesec: library ms.pagetype: security author: dansimp ms.collection: M365-security-compliance +ms.custom: intro-overview ms.prod: m365-security ms.technology: windows-sec --- diff --git a/windows/whats-new/whats-new-windows-10-version-21H2.md b/windows/whats-new/whats-new-windows-10-version-21H2.md index faadc0536b..7c111593df 100644 --- a/windows/whats-new/whats-new-windows-10-version-21H2.md +++ b/windows/whats-new/whats-new-windows-10-version-21H2.md @@ -11,6 +11,7 @@ author: MandiOhlinger ms.localizationpriority: medium ms.topic: article ms.collection: highpri +ms.custom: intro-overview --- # What's new in Windows 10, version 21H2 diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-whats-new.md index f3b21b2f87..fbe9e7108d 100644 --- a/windows/whats-new/windows-11-whats-new.md +++ b/windows/whats-new/windows-11-whats-new.md @@ -13,6 +13,7 @@ ms.localizationpriority: medium audience: itpro ms.topic: article ms.collection: highpri +ms.custom: intro-overview --- # What's new in Windows 11 From 787d172fe981a32f93c125f467e33f7b783b0f4c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 24 Dec 2021 10:34:36 +0500 Subject: [PATCH 25/62] Update the link As the link was not working so I have updated the link. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10028 --- windows/deployment/deploy-whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 287142a49d..df5395a3b5 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -221,4 +221,4 @@ For more information, see the following guides: [Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
From 04b321d7ae8e78ebbd26285c70f600a5cc608b33 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 24 Dec 2021 15:28:07 +0500 Subject: [PATCH 26/62] Update windows/deployment/deploy-whats-new.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index df5395a3b5..a0c717c24f 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](https://docs.microsoft.com/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. From 2698427912891b5a62d9623ee3845d2dd94c6b62 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 24 Dec 2021 21:29:54 +0500 Subject: [PATCH 27/62] Update credential-guard-requirements.md --- .../credential-guard/credential-guard-requirements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 59826162ce..3b6e597559 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -21,8 +21,8 @@ ms.date: 12/16/2021 ## Applies to -- Windows 11 Professional and Enterprise -- Windows 10 Professional and Enterprise +- Windows 11 +- Windows 10 - Windows Server 2019 - Windows Server 2016 @@ -105,7 +105,7 @@ The following tables describe baseline protections, plus protections for improve |Hardware: **Trusted Platform Module (TPM)**|**Requirement**:
- TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**:
- See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| |Firmware: **Secure firmware update process**|**Requirements**:
- UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| -|Software: Qualified **Windows operating system**|**Requirement**:
- At least Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| +|Software: Qualified **Windows operating system**|**Requirement**:
- At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| > [!IMPORTANT] > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. From 1d980efbf9cf20f0fe508b2cb9d92c48807458af Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 25 Dec 2021 22:16:44 +0500 Subject: [PATCH 28/62] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index faa8dbee77..29d57a36c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -69,7 +69,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](/troubleshoot/windows-server/windows-security/requirements-domain-controller). * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL, or an Authority Information Access (AIA) extension that points to an Online Certificate Status Protocol (OCSP) responder. -* The certificate Subject section should contain the directory path of the server object (the distinguished name). +* Optionally, the certificate Subject section could contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). @@ -167,4 +167,4 @@ For federated and non-federated environments, start with **Configure Windows Hel 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) From 186842eafa031acdd3efc4c01b167d14528bbc62 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 27 Dec 2021 19:26:02 +0500 Subject: [PATCH 29/62] Update tpm-fundamentals.md --- .../tpm/tpm-fundamentals.md | 23 +++++-------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 844153ada6..148803140c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -106,11 +106,11 @@ Because many entities can use the TPM, a single authorization success cannot res TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. -For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. +For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. -Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. +Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. -Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours. +Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes. The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. @@ -124,20 +124,9 @@ Originally, BitLocker allowed from 4 to 20 characters for a PIN. Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. -The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. +Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. -The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. -For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. -A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. -This totals a maximum of about 4415 guesses per year. -If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. - -Increasing the PIN length requires a greater number of guesses for an attacker. -In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. - -Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. -To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters. -If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, (Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0)[/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20] GPO should be enabled. ### TPM-based smart cards @@ -147,7 +136,7 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur - Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. -- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password. +- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password. ## Related topics From 811386c89f4ea6358b63ac9a68e5d1c88e056caa Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Mon, 27 Dec 2021 10:05:31 -0800 Subject: [PATCH 30/62] updated link change submitted via public repo PR #10233 --- windows/deployment/deploy-whats-new.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index 287142a49d..a0c717c24f 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. -- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. +- [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. @@ -221,4 +221,4 @@ For more information, see the following guides: [Windows 10 release information](/windows/windows-10/release-information)
[Windows 10 Specifications & Systems Requirements](https://www.microsoft.com/windows/windows-10-specifications)
[Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
-[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
\ No newline at end of file +[Windows 10 deployment tools](windows-deployment-scenarios-and-tools.md)
From 7084a1b5cd3c2cdd32825da79349205127f25bcf Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Dec 2021 12:21:20 -0800 Subject: [PATCH 31/62] Update tpm-fundamentals.md --- .../security/information-protection/tpm/tpm-fundamentals.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 148803140c..0ee935611c 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -15,7 +15,7 @@ ms.collection: - M365-security-compliance - highpri ms.topic: conceptual -ms.date: 09/06/2021 +ms.date: 12/27/2021 --- # TPM fundamentals @@ -23,7 +23,7 @@ ms.date: 09/06/2021 **Applies to** - Windows 10 - Windows 11 -- Windows Server 2016 and above +- Windows Server 2016 and later This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. From 66a8d6a9c847ebabc63a5b8b70105bf226a2634c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Dec 2021 12:22:39 -0800 Subject: [PATCH 32/62] Update windows/security/information-protection/tpm/tpm-fundamentals.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/security/information-protection/tpm/tpm-fundamentals.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md index 0ee935611c..972a59fcc1 100644 --- a/windows/security/information-protection/tpm/tpm-fundamentals.md +++ b/windows/security/information-protection/tpm/tpm-fundamentals.md @@ -126,7 +126,7 @@ Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years. -Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, (Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0)[/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20] GPO should be enabled. +Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20). ### TPM-based smart cards From eaba412c54f9eeaada488b0edc367e1e3582a7fa Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 27 Dec 2021 12:24:33 -0800 Subject: [PATCH 33/62] Update credential-guard-requirements.md --- .../credential-guard/credential-guard-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index 3b6e597559..4762a25d8b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -14,7 +14,7 @@ ms.collection: - M365-identity-device-management - highpri ms.topic: article -ms.date: 12/16/2021 +ms.date: 12/27/2021 --- # Windows Defender Credential Guard: Requirements From 003a754dd223f50919de154eb2af08b237876b30 Mon Sep 17 00:00:00 2001 From: v-dihans Date: Mon, 27 Dec 2021 17:00:58 -0700 Subject: [PATCH 34/62] update image file names --- ...ew_blade.PNG => UC-workspace-overview-blade.PNG} | Bin ...ew_blade.png => uc-workspace-overview-blade.png} | Bin 2 files changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/images/{UC_workspace_overview_blade.PNG => UC-workspace-overview-blade.PNG} (100%) rename windows/deployment/update/images/{uc_workspace_overview_blade.png => uc-workspace-overview-blade.png} (100%) diff --git a/windows/deployment/images/UC_workspace_overview_blade.PNG b/windows/deployment/images/UC-workspace-overview-blade.PNG similarity index 100% rename from windows/deployment/images/UC_workspace_overview_blade.PNG rename to windows/deployment/images/UC-workspace-overview-blade.PNG diff --git a/windows/deployment/update/images/uc_workspace_overview_blade.png b/windows/deployment/update/images/uc-workspace-overview-blade.png similarity index 100% rename from windows/deployment/update/images/uc_workspace_overview_blade.png rename to windows/deployment/update/images/uc-workspace-overview-blade.png From daffe60f33ff9991457f2b4829df7213749d4557 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 27 Dec 2021 17:05:52 -0700 Subject: [PATCH 35/62] Update update-compliance-using.md --- windows/deployment/update/update-compliance-using.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md index 6aa6b4a6de..3537d1c157 100644 --- a/windows/deployment/update/update-compliance-using.md +++ b/windows/deployment/update/update-compliance-using.md @@ -51,7 +51,7 @@ When you select this tile, you will be redirected to the Update Compliance works ### Overview blade -![The Overview blade.](images/UC_workspace_overview_blade.png) +![The Overview blade.](images/uc-workspace-overview-blade.png) Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. From a8cea7e8f39b79cfb20d0936548b76a5dd3581f1 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 29 Dec 2021 11:15:41 +0530 Subject: [PATCH 36/62] Revert "Update policy-csp-update.md" This reverts commit 6d7c16916d7574104182fe6860e299c931240943. --- .../mdm/policy-csp-update.md | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index c5c1634341..3cb2aee082 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1438,6 +1438,82 @@ Default value is 7.
+ +**Update/ConfigureDeadlineGracePeriod** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates),allows the admin to specify a minimum number of days until restarts occur automatically for quality updates. Setting the grace period might extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the default value of 2 will be used. + + + +ADMX Info: +- GP Friendly name: *Specify deadlines for automatic updates and restarts* +- GP name: *ConfigureDeadlineGracePeriod* +- GP element: *ConfigureDeadlineGracePeriod* +- GP path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required quality update. + +Default value is 2. + + + + + + + + + +
**Update/ConfigureDeadlineGracePeriodForFeatureUpdates** From a62084080df405af427486ecc4af50baaf8ab1af Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 29 Dec 2021 15:04:56 +0500 Subject: [PATCH 37/62] Correction in the sentance As there was confusion in the sentence, I have corrected this as WSL is available from build 19041 and higher. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10146 --- windows/whats-new/ltsc/whats-new-windows-10-2021.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md index 6364bc3fd1..ac90bf888f 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md @@ -237,7 +237,7 @@ Microsoft Edge kiosk mode offers two lockdown experiences of the browser so orga ## Windows Subsystem for Linux -Windows Subsystem for Linux (WSL) is be available in-box. +Windows Subsystem for Linux (WSL) is available in-box. ## Networking From 7df61c5643b2381a5b433ccb9cb64ced6880042f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 29 Dec 2021 11:32:06 -0800 Subject: [PATCH 38/62] Update policy-csp-defender.md --- windows/client-management/mdm/policy-csp-defender.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index b062db74a9..d8c5c80c8c 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 01/08/2020 +ms.date: 12/29/2021 ms.reviewer: manager: dansimp ms.collection: highpri From 6eb3154a08d2dba2f155e3681e5b1d0f38bcd837 Mon Sep 17 00:00:00 2001 From: takondo Date: Thu, 30 Dec 2021 05:07:17 +0900 Subject: [PATCH 39/62] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md 1. Fix typo in "Notes" section under "Possible values" and add wording to make condition clearer. 2. This setting is enabled by default on Windows 10 1607 and newer. Make changes accordingly. 3. Update [Best practices]. Currently, the [best practices] state that the policy should be disabled. However, this is the best practice from Server 2008 R2 era and is old suggestion. The [Security considerations] section addresses this and specifies that the policy should be enabled for hybrid environments, but the [Best practices] section has not been updated. --- ...requests-to-this-computer-to-use-online-identities.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 7b4fd7fe4b..b41c905d78 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -34,14 +34,14 @@ When devices are configured to accept authentication requests by using online ID > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 and later. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 up to Windows 10 1607. This policy is enabled by default on Windows 10 1607 and newer. ### Possible values - **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!NOTE] - > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. + > PKU2U is disabled by default on Windows Server. If PKU2U is disabled, Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. - **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. @@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD joined environments. ### Location @@ -66,7 +66,8 @@ The following table lists the effective default values for this policy. Default | Stand-alone server default settings | Not defined| | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| -| Effective GPO default settings on client computers | Disabled| +| Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| +| Effective GPO default settings on client computers Windows 10 1607 and newer | Enabled| ## Security considerations From 8a8fe69b27584a821a6c0cfc7a28052c71f4b0e6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 31 Dec 2021 09:55:22 +0500 Subject: [PATCH 40/62] Update quick-assist.md --- windows/client-management/quick-assist.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 0cca91cc74..6407654e40 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -19,6 +19,9 @@ Quick Assist is a Windows application that enables a person to share their devic All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. +> [!NOTE] +> In case helper and sharer use different keyboard layouts or mouse settings, the ones from sharer are used during the session. + ### Authentication The helper can authenticate when they sign in by using a Microsoft Account (MSA) or Azure Active Directory. Local Active Directory authentication is not supported at this time. From a9289ad95f211dd7021eb3f3fa63244fb52db5f9 Mon Sep 17 00:00:00 2001 From: v-chodges <96920257+v-chodges@users.noreply.github.com> Date: Fri, 31 Dec 2021 10:49:56 -0600 Subject: [PATCH 41/62] Edit Notes: ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_ASSignatureDue It is recommended not to set the value below 2 days to avoid machines to go out of date. --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index ea7d8bca47..fba7c6f419 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,6 +3693,8 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. +It is recommended not to set the value below 2 days to avoid machines to go out of date. + If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update. From ffcfb6ca644c80a37ee4ff6a3d6a6d5581a55fec Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 1 Jan 2022 07:07:23 +0500 Subject: [PATCH 42/62] Update in the document As intune is now the Endpoint protection manager, so updated the content. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10173 --- ...ll-a-windows-10-device-automatically-using-group-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c77b8f6df6..238ff184f9 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -50,11 +50,11 @@ For this policy to work, you must verify that the MDM service provider allows th To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: -1. Verify that the user who is going to enroll the device has a valid Intune license. +1. Verify that the user who is going to enroll the device has a valid Endpoint Portection Manager license. :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: -2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). +2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Mobile Device Management (MDM). For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png) From 5e39f46a6950dbd73bcd4002c85f8ed92d3eaa91 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 2 Jan 2022 10:04:25 +0500 Subject: [PATCH 43/62] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 238ff184f9..9fa74b61f9 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -50,7 +50,7 @@ For this policy to work, you must verify that the MDM service provider allows th To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly. The following steps demonstrate required settings using the Intune service: -1. Verify that the user who is going to enroll the device has a valid Endpoint Portection Manager license. +1. Verify that the user who is going to enroll the device has a valid Endpoint Protection Manager license. :::image type="content" alt-text="Intune license verification." source="images/auto-enrollment-intune-license-verification.png" lightbox="images/auto-enrollment-intune-license-verification.png"::: From 4af655ff21e345b79adecc33bbd1486a6c85a5ea Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 3 Jan 2022 12:16:24 +0530 Subject: [PATCH 44/62] Update --- windows/client-management/mdm/policy-csp-update.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3cb2aee082..35224e6be7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1582,6 +1582,7 @@ ADMX Info: Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. Default value is 2. + From ff2ede5e39589e68a2e10b70e10a248d966c4a5a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 3 Jan 2022 13:27:01 +0530 Subject: [PATCH 45/62] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 35224e6be7..1fab3d2f18 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -271,7 +271,7 @@ manager: dansimp -Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. +Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12-hour maximum from start time. > [!NOTE] > The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. @@ -414,7 +414,7 @@ ADMX Info: -Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. +Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12-hour maximum from end time. > [!NOTE] > The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. @@ -506,8 +506,8 @@ ADMX Info: The following list shows the supported values: -- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that do not shut down properly on restart.user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. - 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. From f834eca6654df5316a86d4e615fe5ae804a1fe63 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 3 Jan 2022 15:15:14 +0530 Subject: [PATCH 46/62] Update policy-csp-update.md --- .../mdm/policy-csp-update.md | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 3a15308984..42de3444a7 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1128,6 +1128,14 @@ Default value is 2. +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| +
@@ -1142,6 +1150,22 @@ Default value is 2. +When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. + + + +ADMX Info: +- GP Friendly name: *Specify deadlines for automatic updates and restarts* +- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates* +- GP path: *Administrative Templates\Windows Components\WindowsUpdate* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Supports a numeric value from 0-7, which indicates the minimum number of days a device will wait before it restarts automatically after installing a required feature update. + +Default value is 2. From f61aa2010aac7960a3099b1ab0622d99c532fb4c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 3 Jan 2022 13:21:47 +0200 Subject: [PATCH 47/62] Update description https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8840 --- windows/security/threat-protection/auditing/event-4625.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 61e190ba1a..548b217e6d 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out. +This event is logged for any logon failure. It generates on the computer where logon attempt was made, for example, if logon attempt was made on user’s workstation, then event will be logged on this workstation. @@ -293,4 +293,4 @@ For 4625(F): An account failed to log on. | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This issue is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | - | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | \ No newline at end of file + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | From 9d93b1f9da96d49263654fc185e43ce24d686f11 Mon Sep 17 00:00:00 2001 From: v-chodges <96920257+v-chodges@users.noreply.github.com> Date: Mon, 3 Jan 2022 08:49:56 -0600 Subject: [PATCH 48/62] Update windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index fba7c6f419..e8f77fefa1 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,7 +3693,7 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. -It is recommended not to set the value below 2 days to avoid machines to go out of date. +We do not recommend setting the value below two days to avoid machines going out of date. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. From 4329df31d1c583c512a076d3da820ee3b511e879 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 00:17:57 +0530 Subject: [PATCH 49/62] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 42de3444a7..054a69cf8a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1150,7 +1150,7 @@ Default value is 2. -When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates), allows the admin to specify a minimum number of days until restarts occur automatically for feature updates. Setting the grace period may extend the effective deadline set by the deadline policy. If [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) is configured but this policy is not, then the value from [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod) will be used; if that policy is also not configured, then the default value of 2 will be used. From 07db9f0fcfdb2b25bfb7e68842c0c914b416edd5 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 00:29:49 +0530 Subject: [PATCH 50/62] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 054a69cf8a..18b041249a 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1203,7 +1203,7 @@ Default value is 2. -When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. +When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates), devices will delay automatically restarting until both the deadline and grace period have expired, even if applicable updates are already installed and pending a restart. When disabled, if the device has installed updates and is outside of active hours, it might attempt an automatic restart before the deadline. From 8b920d8805e84f941e89d44857a84dd56550def5 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:13:43 -0800 Subject: [PATCH 51/62] Update event-4625.md --- windows/security/threat-protection/auditing/event-4625.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 548b217e6d..44603fc006 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.localizationpriority: none author: dansimp -ms.date: 09/07/2021 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp ms.author: dansimp From 09ef58e0256c540f2ad52efa512e7d884637b013 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:17:25 -0800 Subject: [PATCH 52/62] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 9fa74b61f9..1bb3dbc3a7 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 12/03/2021 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp ms.collection: highpri From cd460bcaeb13386e9262ef74fd1fd039d1cde03f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:19:15 -0800 Subject: [PATCH 53/62] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index e8f77fefa1..08bfd199f0 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 12/02/2020 +ms.date: 01/03/2022 ms.reviewer: manager: dansimp --- From 7c8ae05545f782609276cab7aff3b1acae60fd0e Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:20:40 -0800 Subject: [PATCH 54/62] Update policy-csp-admx-microsoftdefenderantivirus.md --- .../mdm/policy-csp-admx-microsoftdefenderantivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 08bfd199f0..f115057a2b 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3693,7 +3693,7 @@ ADMX Info: This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days. -We do not recommend setting the value below two days to avoid machines going out of date. +We do not recommend setting the value to less than 2 days to prevent machines from going out of date. If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update. From 305cc2e50f3eb711a3db8bb8cf4899fd889268dd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:21:46 -0800 Subject: [PATCH 55/62] Update windows/client-management/quick-assist.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/quick-assist.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 6407654e40..f63400cfaf 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -20,7 +20,7 @@ Quick Assist is a Windows application that enables a person to share their devic All that's required to use Quick Assist is suitable network and internet connectivity. No particular roles, permissions, or policies are involved. Neither party needs to be in a domain. The helper must have a Microsoft account. The sharer doesn’t have to authenticate. > [!NOTE] -> In case helper and sharer use different keyboard layouts or mouse settings, the ones from sharer are used during the session. +> In case the helper and sharer use different keyboard layouts or mouse settings, the ones from the sharer are used during the session. ### Authentication From 5cc0c739b032790e5c3a2675b1516de531de7dfe Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:15 -0800 Subject: [PATCH 56/62] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index b41c905d78..4767297d8b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -34,7 +34,7 @@ When devices are configured to accept authentication requests by using online ID > [!NOTE] > Linking online IDs can be performed by anyone who has an account that has standard user’s credentials through Credential Manager. -This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers in Windows 7 up to Windows 10 1607. This policy is enabled by default on Windows 10 1607 and newer. +This policy isn't configured by default on domain-joined devices. This would disallow the online identities to authenticate to domain-joined computers from Windows 7 up to Windows 10, Version 1607. This policy is enabled by default in Windows 10, Version 1607, and later. ### Possible values From a45b1464f64435acda70de9d1c25373d3b18a98f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:33 -0800 Subject: [PATCH 57/62] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 4767297d8b..5dbbd249c2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -67,7 +67,7 @@ The following table lists the effective default values for this policy. Default | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| | Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| -| Effective GPO default settings on client computers Windows 10 1607 and newer | Enabled| +| Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| ## Security considerations From a4505b95a7dd99ac0aa17d3b3167b685c78c8ff2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:39 -0800 Subject: [PATCH 58/62] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 5dbbd249c2..cef443df16 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -66,7 +66,7 @@ The following table lists the effective default values for this policy. Default | Stand-alone server default settings | Not defined| | Domain controller effective default settings | Disabled| | Member server effective default settings | Disabled| -| Effective GPO default settings on client computers prior to Windows 10 1607 | Disabled| +| Effective GPO default settings on client computers prior to Windows 10, Version 1607 | Disabled| | Effective GPO default settings on client computers Windows 10, Version 1607 and later| Enabled| ## Security considerations From 69a58e1afe6c0181e4cbc9e0b690622935fe75dd Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:23:46 -0800 Subject: [PATCH 59/62] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index cef443df16..17e7ba0bfb 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -49,7 +49,7 @@ This policy isn't configured by default on domain-joined devices. This would dis ### Best practices -Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD joined environments. +Within a domain, domain accounts should be used for authentication. Set this policy to **Disabled** or don't configure this policy to exclude online identities from being used to authenticate for on-premises only environments. Set this policy to **Enabled** for hybrid and Azure AD-joined environments. ### Location From 2af534ff2d4c9b7c99a58e75da592ad8d3fe7f53 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 3 Jan 2022 11:24:32 -0800 Subject: [PATCH 60/62] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 17e7ba0bfb..e89957070a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 01/03/2022 ms.technology: windows-sec --- From bc51f80df3a28b7dcae913e13ff1e7afc6ca443c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 3 Jan 2022 12:08:54 -0800 Subject: [PATCH 61/62] updating download link --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e5f880e174..d4c8f8e591 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -31,7 +31,7 @@ ms.technology: privacy This article describes the network connections that Windows 10 and Windows 11 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://download.microsoft.com/download/D/9/0/D905766D-FEDA-43E5-86ED-8987CEBD8D89/WindowsRTLFB.zip) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 and Windows 11 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](/troubleshoot/windows-client/group-policy/create-and-manage-central-store) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. From 94656af0051564618c6705b00962671fee4544e1 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 4 Jan 2022 08:06:18 -0800 Subject: [PATCH 62/62] Update policy-csp-notifications.md update sensitive language term --- windows/client-management/mdm/policy-csp-notifications.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 3be6f32d76..f2a1383e75 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -265,7 +265,7 @@ This policy setting determines which Windows Notification Service endpoint will If you disable or do not configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com. -Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also whitelisted from your firewall settings. +Note: Ensure the proper WNS FQDNs, VIPs, IPs and Ports are also allowlisted from your firewall settings. @@ -284,4 +284,4 @@ If the policy is not specified, we will default our connection to client.wns.win
- \ No newline at end of file +