deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into do_docs_12_22

Browse Source
This commit is contained in:
Carmen Forsmann 2023-02-09 09:27:25 -07:00 committed by GitHub
commit 906bf4c753
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
49 changed files with 1189 additions and 344 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
.openpublishing.redirection.json
View File

@ -19463,7 +19463,7 @@
{
"source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/rootkits-malware",
"redirect_document_id": false
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md",
@ -20114,7 +20114,7 @@
"source_path": "windows/deployment/update/update-compliance-v2-enable.md",
"redirect_url": "/windows/deployment/update/wufb-reports-enable",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-help.md",
"redirect_url": "/windows/deployment/update/wufb-reports-help",
@ -20124,22 +20124,22 @@
"source_path": "windows/deployment/update/update-compliance-v2-overview.md",
"redirect_url": "/windows/deployment/update/wufb-reports-overview",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-prerequisites.md",
"redirect_url": "/windows/deployment/update/wufb-reports-prerequisites",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucclient.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclient",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus",
@ -20149,17 +20149,17 @@
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucdevicealert",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucupdatealert",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/update/update-compliance-v2-schema.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema",
@ -20194,7 +20194,7 @@
"source_path": "windows/deployment/planning/features-lifecycle.md",
"redirect_url": "/windows/whats-new/feature-lifecycle",
"redirect_document_id": false
},
},
{
"source_path": "windows/deployment/planning/windows-10-deprecated-features.md",
"redirect_url": "/windows/whats-new/deprecated-features",
@ -20205,7 +20205,7 @@
"redirect_url": "/windows/whats-new/removed-features",
"redirect_document_id": false
},
{
{
"source_path": "windows/deployment/usmt/usmt-common-issues.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues",
"redirect_document_id": false
@ -20449,6 +20449,76 @@
"source_path": "windows/security/identity-protection/hello-for-business/hello-event-300.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/hello-faq",
"redirect_document_id": false
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md",
"redirect_url": "/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report",
"redirect_document_id": true
},
{
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md",
"redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies",
"redirect_document_id": true
},
{
"source_path": "windows/client-management/mdm/policy-ddf-file.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
"redirect_document_id": true
}
]
}

7
education/windows/windows-11-se-overview.md
View File

@ -93,6 +93,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Class Policy` | 114.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
@ -104,7 +105,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` |
| `Google Chrome` | 109.0.5414.75 | Win32 | `Google` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` |
@ -137,10 +138,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development`
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.23 | Win32 | `Mathetmots` |

8
windows/client-management/change-history-for-mdm-documentation.md
View File

@ -185,7 +185,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
|[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:<li>Browser/AllowFullScreenMode<li>Browser/AllowPrelaunch<li>Browser/AllowPrinting<li>Browser/AllowSavingHistory<li>Browser/AllowSideloadingOfExtensions<li>Browser/AllowTabPreloading<li>Browser/AllowWebContentOnNewTabPage<li>Browser/ConfigureFavoritesBar<li>Browser/ConfigureHomeButton<li>Browser/ConfigureKioskMode<li>Browser/ConfigureKioskResetAfterIdleTimeout<li>Browser/ConfigureOpenMicrosoftEdgeWith<li>Browser/ConfigureTelemetryForMicrosoft365Analytics<li>Browser/PreventCertErrorOverrides<li>Browser/SetHomeButtonURL<li>Browser/SetNewTabPageURL<li>Browser/UnlockHomeButton<li>Experience/DoNotSyncBrowserSettings<li>Experience/PreventUsersFromTurningOnBrowserSyncing<li>Kerberos/UPNNameHints<li>Privacy/AllowCrossDeviceClipboard<li>Privacy<li>DisablePrivacyExperience<li>Privacy/UploadUserActivities<li>System/AllowDeviceNameInDiagnosticData<li>System/ConfigureMicrosoft365UploadEndpoint<li>System/DisableDeviceDelete<li>System/DisableDiagnosticDataViewer<li>Storage/RemovableDiskDenyWriteAccess<li>Update/UpdateNotificationLevel<br/><br/>Start/DisableContextMenus - added in Windows 10, version 1803.<br/><br/>RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
## July 2018
@ -217,7 +217,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|New or updated article|Description|
|--- |--- |
|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
## April 2018
@ -281,7 +281,7 @@ As of November 2020 This page will no longer be updated. This article lists new
| New or updated article | Description |
| --- | --- |
| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:<br/><br/>- Defender/ControlledFolderAccessAllowedApplications - string separator is `|` <br/>- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
| [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
@ -313,5 +313,5 @@ As of November 2020 This page will no longer be updated. This article lists new
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:<li>Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
|[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.<li>Changed some data types from integer to bool.<li>Updated the list of supported operations for some settings.<li>Added default values.|
|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:<li>Browser/AllowMicrosoftCompatibilityList<li>Update/DisableDualScan<li>Update/FillEmptyContentUrls|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:<li>Browser/ProvisionFavorites<li>Browser/LockdownFavorites<li>ExploitGuard/ExploitProtectionSettings<li>Games/AllowAdvancedGamingServices<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations<li>Privacy/EnableActivityFeed<li>Privacy/PublishUserActivities<li>Update/DisableDualScan<li>Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork<br/><br/>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.<br/><br/>Changed the names of the following policies:<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess<br/><br/>Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).<br/><br/>There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts<li>Start/HideAppList|

581
windows/client-management/mdm/configuration-service-provider-ddf.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider DDF files
description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -14,9 +14,571 @@ ms.collection: highpri
# Configuration service provider DDF files
This topic shows the OMA DM device description framework (DDF) for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files for various CSPs from the links below:
As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
## DDF v2 schema
DDF v2 XML schema definition is listed below along with the schema definition for the referenced `MSFT` namespace.
- Schema definition for DDF v2:
```xml
<?xml version="1.0" encoding="Windows-1252"?>
<xs:schema xmlns="http://tempuri.org/DM_DDF-V1_2" elementFormDefault="qualified" targetNamespace="http://tempuri.org/DM_DDF-V1_2"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<xs:import schemaLocation="DDFv2Msft.xsd" namespace="http://schemas.microsoft.com/MobileDevice/DM" />
<xs:element name="MgmtTree">
<xs:annotation>
<xs:documentation>Starting point for DDF</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="VerDTD" />
<xs:element minOccurs="1" ref="MSFT:Diagnostics" />
<xs:element minOccurs="1" maxOccurs="unbounded" ref="Node" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="VerDTD" type="xs:string" />
<xs:element name="Node">
<xs:annotation>
<xs:documentation>Main Recurring XML tag describing nodes of the CSP</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="NodeName" />
<xs:element minOccurs="0" maxOccurs="1" ref="Path" />
<xs:element minOccurs="1" maxOccurs="1" ref="DFProperties" />
<xs:choice>
<xs:element minOccurs="0" maxOccurs="unbounded" ref="Node" />
</xs:choice>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="NodeName" type="xs:anyURI" />
<xs:element name="Path" type="xs:anyURI" />
<xs:element name="MIME" type="xs:string" />
<xs:element name="DDFName" type="xs:string" />
<xs:element name="DFProperties">
<xs:complexType>
<xs:sequence>
<xs:element ref="AccessType" />
<xs:element minOccurs="0" maxOccurs="1" ref="DefaultValue" />
<xs:element minOccurs="0" maxOccurs="1" ref="Description" />
<xs:element ref="DFFormat" />
<xs:element minOccurs="0" maxOccurs="1" ref="Occurrence" />
<xs:element minOccurs="0" maxOccurs="1" ref="Scope" />
<xs:element minOccurs="0" maxOccurs="1" ref="DFTitle" />
<xs:element ref="DFType" />
<xs:element minOccurs="0" maxOccurs="1" ref="CaseSense" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:Applicability" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:DynamicNodeNaming" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:AllowedValues" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:ReplaceBehavior" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:RebootBehavior" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:GpMapping" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:CommonErrorResults" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:Deprecated" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:DependencyBehavior" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:ConflictResolution" />
<xs:element minOccurs="0" maxOccurs="1" ref="MSFT:AtomicRequired" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AccessType">
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" name="Add" />
<xs:element minOccurs="0" maxOccurs="1" name="Copy" />
<xs:element minOccurs="0" maxOccurs="1" name="Delete" />
<xs:element minOccurs="0" maxOccurs="1" name="Exec" />
<xs:element minOccurs="0" maxOccurs="1" name="Get" />
<xs:element minOccurs="0" maxOccurs="1" name="Replace" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="DefaultValue" type="xs:string" />
<xs:element name="Description" type="xs:string" />
<xs:element name="DFFormat">
<xs:complexType>
<xs:choice>
<xs:element name="b64" />
<xs:element name="bin" />
<xs:element name="bool" />
<xs:element name="chr" />
<xs:element name="int" />
<xs:element name="node" />
<xs:element name="null" />
<xs:element name="xml" />
<xs:element name="date" />
<xs:element name="time" />
<xs:element name="float" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="Occurrence">
<xs:complexType>
<xs:choice>
<xs:element name="One" />
<xs:element name="ZeroOrOne" />
<xs:element name="ZeroOrMore" />
<xs:element name="OneOrMore" />
<xs:element name="ZeroOrN" type="xs:integer" />
<xs:element name="OneOrN" type="xs:integer" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="Scope">
<xs:complexType>
<xs:choice>
<xs:element name="Permanent" />
<xs:element name="Dynamic" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="DFTitle" type="xs:string" />
<xs:element name="DFType">
<xs:complexType>
<xs:choice>
<xs:element minOccurs="1" maxOccurs="unbounded" ref="MIME" />
<xs:element ref="DDFName" />
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="CaseSense">
<xs:complexType>
<xs:choice>
<xs:element name="CS" />
<xs:element name="CIS" />
</xs:choice>
</xs:complexType>
</xs:element>
</xs:schema>
```
- Schema definition for the `MSFT` namespace:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema elementFormDefault="qualified" xmlns="http://schemas.microsoft.com/MobileDevice/DM" targetNamespace="http://schemas.microsoft.com/MobileDevice/DM" xmlns:xs="http://www.w3.org/2001/XMLSchema">
<xs:element name="Diagnostics" type="xs:string">
<xs:annotation>
<xs:documentation>This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Deprecated">
<xs:annotation>
<xs:documentation>This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="OsBuildDeprecated" type="xs:string" />
</xs:complexType>
</xs:element>
<xs:element name="DynamicNodeNaming">
<xs:annotation>
<xs:documentation>This node contains information on how to dynamically name the node such that the name is valid.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:choice>
<xs:element name="ServerGeneratedUniqueIdentifier">
<xs:annotation>
<xs:documentation>This indicates that the server should generate a unique identifier for the node.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="ClientInventory">
<xs:annotation>
<xs:documentation>This indicates that the client will generate the name of the node based on the device state (such as inventorying apps).</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="UniqueName" type="xs:string">
<xs:annotation>
<xs:documentation>This indicates that the server should name the node, and the value listed gives a regex to define what is allowed.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:choice>
</xs:complexType>
</xs:element>
<xs:element name="ConflictResolution" default="NoMerge">
<xs:simpleType>
<xs:annotation>
<xs:documentation>The type of the conflict resolution.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="NoMerge">
<xs:annotation>
<xs:documentation>No policy merge.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LowestValueMostSecure">
<xs:annotation>
<xs:documentation>The lowest value is the most secure policy value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HighestValueMostSecure">
<xs:annotation>
<xs:documentation>The highest value is the most secure policy value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LastWrite">
<xs:annotation>
<xs:documentation>The last written value is current value</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="LowestValueMostSecureZeroHasNoLimits">
<xs:annotation>
<xs:documentation>The lowest value is the most secure policy value unless the value is zero.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HighestValueMostSecureZeroHasNoLimits">
<xs:annotation>
<xs:documentation>The highest value is the most secure policy value unless the value is zero.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Applicability">
<xs:annotation>
<xs:documentation>These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" name="OsBuildVersion" type="xs:string">
<xs:annotation>
<xs:documentation>This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release."</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="CspVersion" type="xs:decimal">
<xs:annotation>
<xs:documentation>This tag describes the lowest CSP Version that the node was released to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="EditionAllowList" type="xs:string">
<xs:annotation>
<xs:documentation>This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="RequiresAzureAd">
<xs:annotation>
<xs:documentation>This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AllowedValues">
<xs:annotation>
<xs:documentation>These tags describe what values are allowed to be set for this particular node.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:group ref="AllowedValuesGroup" />
<xs:attributeGroup ref="AllowedValuesAttributeGroup" />
</xs:complexType>
</xs:element>
<xs:attributeGroup name="AllowedValuesAttributeGroup">
<xs:attribute name="ValueType" use="required">
<xs:annotation>
<xs:documentation>This attribute describes what kind of Allowed Values tag this is.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="XSD">
<xs:annotation>
<xs:documentation>This attribute indicates that the Value tag contains an XSD for the node.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="RegEx">
<xs:annotation>
<xs:documentation>This attribute indicates that the Value tag contains a RegEx for the node.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="ADMX">
<xs:annotation>
<xs:documentation>This attribute indicates that the node can be described by an external ADMX file.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="JSON">
<xs:annotation>
<xs:documentation>This attribute indicates that the node can be described by a JSON schema.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="ENUM">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values are an enumeration.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Flag">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values can be combined into a bitwise flag.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Range">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values are a numerical range.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="SDDL">
<xs:annotation>
<xs:documentation>This attribute indicates that the allowed values are a string in the SDDL format.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="None">
<xs:annotation>
<xs:documentation>This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:attributeGroup>
<xs:group name="AllowedValuesGroup">
<xs:sequence>
<xs:group minOccurs="0" maxOccurs="1" ref="AllowedValueGroupedNodes" />
<xs:element minOccurs="0" maxOccurs="1" name="List">
<xs:annotation>
<xs:documentation>This tag indicates that the node input can contain multiple, delimited values.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="Delimiter" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute details the delimeter used for the list of values.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:group>
<xs:group name="ValueAndDescriptionGroup">
<xs:sequence>
<xs:element name="Value" type="xs:string">
<xs:annotation>
<xs:documentation>This tag indicates an allowed value.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element minOccurs="0" maxOccurs="1" name="ValueDescription" type="xs:string">
<xs:annotation>
<xs:documentation>This tag gives further description to an allowed value, such as for an enumeration.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:group>
<xs:group name="AllowedValueGroupedNodes">
<xs:choice>
<xs:element ref="Enum" maxOccurs="unbounded" />
<xs:group ref="ValueAndDescriptionGroup" />
<xs:element ref="AdmxBacked" />
</xs:choice>
</xs:group>
<xs:element name="Enum">
<xs:annotation>
<xs:documentation>This tag gives details for one particular enumeration of the allowed values.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:group ref="ValueAndDescriptionGroup" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AdmxBacked">
<xs:annotation>
<xs:documentation>This tag indicates the relevent details for the corresponding ADMX policy for this node.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="Area" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives the area path of the ADMX policy.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Name" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives the name of the ADMX policy.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="File" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives the filename for the ADMX policy.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="ReplaceBehavior" default="Replace">
<xs:annotation>
<xs:documentation>This tag details the replace behavior of the node.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="Append">
<xs:annotation>
<xs:documentation>When performing a replace operation on this node, the value is appending to the existing node data.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Replace">
<xs:annotation>
<xs:documentation>When performing a replace operation on this node, the existing node data is removed before new data is added.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="RebootBehavior" default="None">
<xs:annotation>
<xs:documentation>This tag describes the reboot behavior of the node.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="None">
<xs:annotation>
<xs:documentation>No reboot is required for this node.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Automatic">
<xs:annotation>
<xs:documentation>This node will automatically perform a reboot to take effect.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="ServerInitiated">
<xs:annotation>
<xs:documentation>This node needs a reboot initiated from an external source to take effect.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="GpMapping">
<xs:annotation>
<xs:documentation>This tag details the information necessary to map this node to an existing group policy.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:attribute name="GpEnglishName" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute details the English name of the GP.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="GpAreaPath" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute details the area path of the GP.</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="GpElement" type="xs:string">
<xs:annotation>
<xs:documentation>This attribute details a particular element of a GP that the CSP node maps to.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="CommonErrorResults">
<xs:annotation>
<xs:documentation>This tag lists out common error HRESULTS reported by the CSP and English text to associate with them.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="CommonErrorOne" type="xs:string" />
<xs:element name="CommonErrorTwo" type="xs:string" />
<xs:element name="CommonErrorThree" type="xs:string" />
<xs:element name="CommonErrorFour" type="xs:string" />
<xs:element name="CommonErrorFive" type="xs:string" />
<xs:element name="CommonErrorSix" type="xs:string" />
<xs:element name="CommonErrorSeven" type="xs:string" />
<xs:element name="CommonErrorEight" type="xs:string" />
<xs:element name="CommonErrorNine" type="xs:string" />
<xs:element name="CommonErrorTen" type="xs:string" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AtomicRequired">
<xs:annotation>
<xs:documentation>This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="DependencyBehavior">
<xs:annotation>
<xs:documentation>These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="DependencyGroup" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Dependency">
<xs:annotation>
<xs:documentation>This tag describes a dependency that the current CSP node has on another nodes in the same CSP.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element name="DependencyUri" type="xs:anyURI">
<xs:annotation>
<xs:documentation>The URI that the current CSP node has a dependency on.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element ref="DependencyAllowedValue" />
</xs:sequence>
<xs:attribute name="Type" use="required">
<xs:annotation>
<xs:documentation>This tag details the kind of dependency.</xs:documentation>
</xs:annotation>
<xs:simpleType>
<xs:restriction base="xs:string">
<xs:enumeration value="DependsOn">
<xs:annotation>
<xs:documentation>The current node depends on the dependency holding a certain value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Not">
<xs:annotation>
<xs:documentation>The current node depends on the dependency not holding a certain value.</xs:documentation>
</xs:annotation>
</xs:enumeration>
</xs:restriction>
</xs:simpleType>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="DependencyGroup">
<xs:annotation>
<xs:documentation>This tag details one specific dependency. A node might have multiple different dependencies.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element minOccurs="0" maxOccurs="1" ref="DependencyChangedAllowedValues" />
<xs:element ref="Dependency" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="FriendlyId" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
<xs:element name="DependencyAllowedValue">
<xs:annotation>
<xs:documentation>This tag details the values that the dependency must be set to for the dependency to be satisfied.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:group ref="AllowedValuesGroup" />
<xs:attributeGroup ref="AllowedValuesAttributeGroup" />
</xs:complexType>
</xs:element>
<xs:element name="DependencyChangedAllowedValues">
<xs:annotation>
<xs:documentation>This tag details a change to the current node's allowed values if the dependency is satisfied.</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:group ref="AllowedValuesGroup" />
<xs:attributeGroup ref="AllowedValuesAttributeGroup" />
</xs:complexType>
</xs:element>
</xs:schema>
```
## Older DDF files
You can download the older DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
@ -26,4 +588,15 @@ You can download the DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
You can download DDF file for Policy CSP from [Policy DDF file](policy-ddf-file.md).
You can download the older Policy area DDF files by clicking the following links:
- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)

2
windows/client-management/mdm/index.yml
View File

@ -47,7 +47,7 @@ landingContent:
- text: Policy CSP
url: policy-configuration-service-provider.md
- text: Policy DDF file
url: policy-ddf-file.md
url: configuration-service-provider-ddf.md
- text: Policy CSP - Start
url: policy-csp-start.md
- text: Policy CSP - Update

4
windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
View File

@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/18/2023
ms.date: 02/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -642,6 +642,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowCortanaInAAD](policy-csp-search.md)
- [AllowFindMyFiles](policy-csp-search.md)
- [AllowSearchHighlights](policy-csp-search.md)
- [ConfigureSearchOnTaskbarMode](policy-csp-search.md)
## Security
@ -813,6 +814,7 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md)
- [SetEDURestart](policy-csp-update.md)
- [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md)
- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md)
- [SetDisableUXWUAccess](policy-csp-update.md)
- [SetDisablePauseUXAccess](policy-csp-update.md)
- [UpdateNotificationLevel](policy-csp-update.md)

19
windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
View File

@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 08/01/2022
ms.date: 02/03/2023
---
# Policies in Policy CSP supported by HoloLens 2
@ -19,6 +19,7 @@ ms.date: 08/01/2022
- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock)
- [ApplicationManagement/RequirePrivateStoreOnly](policy-csp-applicationmanagement.md#requireprivatestoreonly) <sup>11</sup>
- [ApplicationManagement/ScheduleForceRestartForUpdateFailures](policy-csp-applicationmanagement.md#scheduleforcerestartforupdatefailures)
- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname)
- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode)
@ -32,6 +33,18 @@ ms.date: 08/01/2022
- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth)
- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection)
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) <sup>10</sup>
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) <sup>10</sup>
- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground) <sup>10</sup>
- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground) <sup>10</sup>
- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) <sup>10</sup>
- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth) <sup>10</sup>
- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth) <sup>10</sup>
- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth) <sup>10</sup>
- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth) <sup>10</sup>
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) <sup>10</sup>
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) <sup>10</sup>
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) <sup>10</sup>
- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword)
- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired)
@ -44,7 +57,6 @@ ms.date: 08/01/2022
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#allowmanualmdmunenrollment)
- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) <sup>9</sup>
- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalbeforelogon) <sup>12</sup>
- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#allowlaunchuriinsingleappkiosk)<sup>10</sup>
@ -78,6 +90,7 @@ ms.date: 08/01/2022
- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forceallowtheseapps)
- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forcedenytheseapps)
- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_userincontroloftheseapps)
- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera)
- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera_forceallowtheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera_forcedenytheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera_userincontroloftheseapps) <sup>8</sup>
@ -85,13 +98,11 @@ ms.date: 08/01/2022
- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forceallowtheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera)
- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation)
- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone)
- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) <sup>8</sup>
- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_userincontroloftheseapps) <sup>8</sup>
- [RemoteLock/Lock](./remotelock-csp.md) <sup>9</sup>
- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation)
- [Security/AllowAddProvisioningPackage](policy-csp-security.md#allowaddprovisioningpackage) <sup>9</sup>
- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#allowremoveprovisioningpackage) <sup>9</sup>

2
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -58,7 +58,7 @@ This ensures that:
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP:
The [Policy DDF](configuration-service-provider-ddf.md) contains the following tags to identify the policies with equivalent GP:
- \<MSFT:ADMXBacked\>
- \<MSFT:ADMXMapped\>

2
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -19,7 +19,7 @@ ms.topic: reference
<!-- LocalPoliciesSecurityOptions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
> [!NOTE]
> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
> To find data formats (and other policy-related details), see [Policy DDF file](./configuration-service-provider-ddf.md).
<!-- LocalPoliciesSecurityOptions-Editable-End -->
<!-- Accounts_BlockMicrosoftAccounts-Begin -->

94
windows/client-management/mdm/policy-csp-search.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/09/2023
ms.date: 02/01/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- Search-Begin -->
# Policy CSP - Search
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- Search-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Search-Editable-End -->
@ -187,7 +190,7 @@ This policy controls whether the user can configure search to *Find My Files* mo
| Value | Description |
|:--|:--|
| 1 (Default) | Find My Files feature can be toggled (still off by default), and the settings UI is present. |
| 1 (Default) | , and the settings UI is present. |
| 0 | Find My Files feature is turned off completely, and the settings UI is disabled. |
<!-- AllowFindMyFiles-AllowedValues-End -->
@ -480,7 +483,7 @@ This policy has been deprecated.
This policy setting allows words that contain diacritic characters to be treated as separate words.
- If you enable this policy setting, words that only differ in diacritics are treated as different words.
- If you disable this policy setting, words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by default.
- If you do not configure this policy setting, the local setting, configured through Control Panel, will be used
- If you do not configure this policy setting, the local setting, configured through Control Panel, will be used.
> [!NOTE]
> By default, the Control Panel setting is set to treat words that differ only because of diacritics as the same word.
@ -639,6 +642,81 @@ The most restrictive value is `0` to now allow automatic language detection.
<!-- AlwaysUseAutoLangDetection-End -->
<!-- ConfigureSearchOnTaskbarMode-Begin -->
## ConfigureSearchOnTaskbarMode
<!-- ConfigureSearchOnTaskbarMode-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- ConfigureSearchOnTaskbarMode-Applicability-End -->
<!-- ConfigureSearchOnTaskbarMode-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Search/ConfigureSearchOnTaskbarMode
```
<!-- ConfigureSearchOnTaskbarMode-OmaUri-End -->
<!-- ConfigureSearchOnTaskbarMode-Description-Begin -->
<!-- Description-Source-ADMX-Forced -->
This policy setting allows you to configure search on the taskbar.
- If you enable this policy setting and set it to hide, search on taskbar will be hidden by default. Users cannot change it in Settings.
- If you enable this policy setting and set it to search icon only, the search icon will be displayed on the taskbar by default. Users cannot change it in Settings.
- If you enable this policy setting and set it to search icon and label, the search icon and label will be displayed on the taskbar by default. Users cannot change it in Settings.
- If you enable this policy setting and set it to search box, the search box will be displayed on the taskbar by default. Users cannot change it in Settings.
- If you disable or do not configure this policy setting, search on taskbar will be configured according to the defaults for your Windows edition. Users will be able to change search on taskbar in Settings.
<!-- ConfigureSearchOnTaskbarMode-Description-End -->
<!-- ConfigureSearchOnTaskbarMode-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureSearchOnTaskbarMode-Editable-End -->
<!-- ConfigureSearchOnTaskbarMode-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 3 |
<!-- ConfigureSearchOnTaskbarMode-DFProperties-End -->
<!-- ConfigureSearchOnTaskbarMode-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 | Hide. |
| 1 | Search icon only. |
| 2 | Search icon and label. |
| 3 (Default) | Search box. |
<!-- ConfigureSearchOnTaskbarMode-AllowedValues-End -->
<!-- ConfigureSearchOnTaskbarMode-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureSearchOnTaskbarMode |
| Friendly Name | Configures search on the taskbar |
| Element Name | Search on the taskbar |
| Location | Computer Configuration |
| Path | Windows Components > Search |
| Registry Key Name | Software\Policies\Microsoft\Windows\Windows Search |
| ADMX File Name | Search.admx |
<!-- ConfigureSearchOnTaskbarMode-GpMapping-End -->
<!-- ConfigureSearchOnTaskbarMode-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSearchOnTaskbarMode-Examples-End -->
<!-- ConfigureSearchOnTaskbarMode-End -->
<!-- DisableBackoff-Begin -->
## DisableBackoff
@ -775,7 +853,7 @@ This policy setting configures whether or not locations on removable drives can
<!-- DisableSearch-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 22H2 [10.0.22621] and later |
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- DisableSearch-Applicability-End -->
<!-- DisableSearch-OmaUri-Begin -->
@ -1031,13 +1109,10 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!-- SafeSearchPermissions-Begin -->
## SafeSearchPermissions
> [!NOTE]
> This policy is deprecated and may be removed in a future release.
<!-- SafeSearchPermissions-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :x: Enterprise <br> :x: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1607 [10.0.14393] and later |
<!-- SafeSearchPermissions-Applicability-End -->
<!-- SafeSearchPermissions-OmaUri-Begin -->
@ -1047,8 +1122,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
<!-- SafeSearchPermissions-OmaUri-End -->
<!-- SafeSearchPermissions-Description-Begin -->
<!-- Description-Source-DDF -->
This policy is deprecated.
<!-- Description-Source-Not-Found -->
<!-- SafeSearchPermissions-Description-End -->
<!-- SafeSearchPermissions-Editable-Begin -->

83
windows/client-management/mdm/policy-csp-update.md
View File

@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/18/2023
ms.date: 02/03/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -16,6 +16,9 @@ ms.topic: reference
<!-- Update-Begin -->
# Policy CSP - Update
> [!IMPORTANT]
> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview.
<!-- Update-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Update-Editable-End -->
@ -23,6 +26,7 @@ ms.topic: reference
Update CSP policies are listed below based on the group policy area:
- [Windows Insider Preview](#windows-insider-preview)
- [AllowTemporaryEnterpriseFeatureControl](#allowtemporaryenterprisefeaturecontrol)
- [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates)
- [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates)
- [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update)
@ -103,6 +107,75 @@ Update CSP policies are listed below based on the group policy area:
## Windows Insider Preview
<!-- AllowTemporaryEnterpriseFeatureControl-Begin -->
### AllowTemporaryEnterpriseFeatureControl
<!-- AllowTemporaryEnterpriseFeatureControl-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview |
<!-- AllowTemporaryEnterpriseFeatureControl-Applicability-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl
```
<!-- AllowTemporaryEnterpriseFeatureControl-OmaUri-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-Description-Begin -->
<!-- Description-Source-ADMX -->
Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*.
- If this policy is configured to "Enabled", then all features available in the latest monthly quality update installed will be on.
- If this policy is set to "Not Configured" or "Disabled" then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed.
*Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS).
<!-- AllowTemporaryEnterpriseFeatureControl-Description-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowTemporaryEnterpriseFeatureControl-Editable-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowTemporaryEnterpriseFeatureControl-DFProperties-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | Not allowed. |
| 1 | Allowed. |
<!-- AllowTemporaryEnterpriseFeatureControl-AllowedValues-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | AllowTemporaryEnterpriseFeatureControl |
| Friendly Name | Enable features introduced via servicing that are off by default |
| Location | Computer Configuration |
| Path | Windows Components > Windows Update > Manage end user experience |
| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
| Registry Value Name | AllowTemporaryEnterpriseFeatureControl |
| ADMX File Name | WindowsUpdate.admx |
<!-- AllowTemporaryEnterpriseFeatureControl-GpMapping-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowTemporaryEnterpriseFeatureControl-Examples-End -->
<!-- AllowTemporaryEnterpriseFeatureControl-End -->
<!-- ConfigureDeadlineNoAutoRebootForFeatureUpdates-Begin -->
### ConfigureDeadlineNoAutoRebootForFeatureUpdates
@ -2589,7 +2662,7 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2
<!-- ScheduledInstallDay-Description-Begin -->
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the day of the update installation. The data type is a integer.
Enables the IT admin to schedule the day of the update installation. The data type is an integer.
<!-- ScheduledInstallDay-Description-End -->
<!-- ScheduledInstallDay-Editable-Begin -->
@ -2660,7 +2733,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty
<!-- ScheduledInstallEveryWeek-Description-Begin -->
<!-- Description-Source-DDF -->
Enables the IT admin to schedule the update installation on the every week. Value type is integer.
Enables the IT admin to schedule the update installation every week. Value type is integer.
<!-- ScheduledInstallEveryWeek-Description-End -->
<!-- ScheduledInstallEveryWeek-Editable-Begin -->
@ -2985,7 +3058,7 @@ Enables the IT admin to schedule the update installation on the third week of th
<!-- ScheduledInstallTime-Description-Begin -->
<!-- Description-Source-DDF -->
the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
the IT admin to schedule the time of the update installation. The data type is an integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3.
<!-- ScheduledInstallTime-Description-End -->
<!-- ScheduledInstallTime-Editable-Begin -->
@ -3044,7 +3117,7 @@ Enables the IT admin to schedule the update installation on the third week of th
<!-- SetDisablePauseUXAccess-Description-Begin -->
<!-- Description-Source-ADMX -->
This setting allows to remove access to "Pause updates" feature.
This setting allows removing access to "Pause updates" feature.
Once enabled user access to pause updates is removed.
<!-- SetDisablePauseUXAccess-Description-End -->

32
windows/client-management/mdm/policy-ddf-file.md
View File

@ -1,32 +0,0 @@
---
title: Policy DDF file
description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 10/28/2020
---
# Policy DDF file
This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can view various Policy DDF files by clicking the following links:
- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-ddf.md).

2
windows/client-management/mdm/toc.yml
View File

@ -34,7 +34,7 @@ items:
href: policy-configuration-service-provider.md
items:
- name: Policy CSP DDF file
href: policy-ddf-file.md
href: configuration-service-provider-ddf.md
- name: Policy CSP support scenarios
items:
- name: ADMX policies in Policy CSP

32
windows/deployment/windows-autopatch/TOC.yml
View File

@ -48,32 +48,32 @@
href:
items:
- name: Windows quality updates
href: operate/windows-autopatch-wqu-overview.md
href: operate/windows-autopatch-windows-quality-update-overview.md
items:
- name: Windows quality end user experience
href: operate/windows-autopatch-wqu-end-user-exp.md
- name: Windows quality update end user experience
href: operate/windows-autopatch-windows-quality-update-end-user-exp.md
- name: Windows quality update signals
href: operate/windows-autopatch-wqu-signals.md
href: operate/windows-autopatch-windows-quality-update-signals.md
- name: Windows quality update communications
href: operate/windows-autopatch-windows-quality-update-communications.md
- name: Windows quality update reports
href: operate/windows-autopatch-wqu-reports-overview.md
href: operate/windows-autopatch-windows-quality-update-reports-overview.md
items:
- name: Summary dashboard
href: operate/windows-autopatch-wqu-summary-dashboard.md
href: operate/windows-autopatch-windows-quality-update-summary-dashboard.md
- name: All devices report
href: operate/windows-autopatch-wqu-all-devices-report.md
href: operate/windows-autopatch-windows-quality-update-all-devices-report.md
- name: All devices report—historical
href: operate/windows-autopatch-wqu-all-devices-historical-report.md
href: operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
- name: Eligible devices report—historical
href: operate/windows-autopatch-wqu-eligible-devices-historical-report.md
href: operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
- name: Ineligible devices report—historical
href: operate/windows-autopatch-wqu-ineligible-devices-historical-report.md
href: operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
- name: Windows feature updates
href: operate/windows-autopatch-fu-overview.md
href: operate/windows-autopatch-windows-feature-update-overview.md
items:
- name: Windows feature end user experience
href: operate/windows-autopatch-fu-end-user-exp.md
- name: Windows quality and feature update communications
href: operate/windows-autopatch-wqu-communications.md
- name: Windows feature update end user experience
href: operate/windows-autopatch-windows-feature-update-end-user-exp.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
@ -95,7 +95,7 @@
href:
items:
- name: Windows update policies
href: operate/windows-autopatch-wqu-unsupported-policies.md
href: references/windows-autopatch-windows-update-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise update policies
href: references/windows-autopatch-microsoft-365-policies.md
- name: Changes made at tenant enrollment

20
windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
View File

@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
ms.date: 09/07/2022
ms.date: 02/03/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -20,8 +20,8 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev
Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads:
- [Windows quality updates](../operate/windows-autopatch-wqu-overview.md)
- [Windows feature updates](../operate/windows-autopatch-fu-overview.md)
- [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md)
- [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md)
- [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](../operate/windows-autopatch-edge.md)
- [Microsoft Teams updates](../operate/windows-autopatch-teams.md)
@ -52,7 +52,7 @@ Azure AD groups synced up from:
> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
> [!IMPORTANT]
> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups.
> The **Windows Autopatch Device Registration** Azure AD group only supports **one level** of Azure AD nested groups.
### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
@ -111,12 +111,18 @@ A role defines the set of permissions granted to users assigned to that role. Yo
- Azure AD Global Administrator
- Intune Service Administrator
- Modern Workplace Intune Administrator
For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
> [!NOTE]
> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Intune roles, and allows you to create and configure custom Intune roles.
If you want to assign less-privileged user accounts to perform specific tasks in the Windows Autopatch portal, such as register devices with the service, you can add these user accounts into one of the two Azure AD groups created during the [tenant enrollment](../prepare/windows-autopatch-enroll-tenant.md) process:
| Role | Discover devices | Modify columns | Refresh device list | Export to .CSV | Device actions |
| ----- | ----- | ----- | ----- | ----- | ----- |
| Modern Workplace Roles - Service Administrator | Yes | Yes | Yes | Yes | Yes |
| Modern Workplace Roles - Service Reader | No | Yes | Yes | Yes | No |
> [!TIP]
> If you're adding less-privileged user accounts into the **Modern Workplace Roles - Service Administrator** Azure AD group, it's recommended to add the same users as owners of the **Windows Autopatch Device Registration** Azure AD group. Owners of the **Windows Autopatch Device Registration** Azure AD group can add new devices as members of the group for registration purposes.<p>For more information, see [assign an owner of member of a group in Azure AD](/azure/active-directory/privileged-identity-management/groups-assign-member-owner#assign-an-owner-or-member-of-a-group).</p>
## Details about the device registration process

106
windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
View File

@ -1,106 +0,0 @@
---
title: Windows feature updates
description: This article explains how Windows feature updates are managed in Autopatch
ms.date: 07/11/2022
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Windows feature updates
## Service level objective
Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates.
## Device eligibility
For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria:
| Criteria | Description |
| ----- | ----- |
| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. |
| Intune sync | Devices must have checked with Intune within the last five days. |
| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers). |
## Windows feature update releases
When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout.
The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend.
| Ring | Timeline |
| ----- | ----- |
| Test | Release start |
| First | Release start + 30 days |
| Fast | Release start + 60 days |
| Broad | Release start + 90 days |
:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png":::
## New devices to Windows Autopatch
If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria.
If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device.
## Feature update configuration
When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. Youll see four of each of the following policies in your tenant, one for each ring:
- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows.
- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates.
| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period |
| ----- | ----- | ----- | ----- | ----- |
| Test | 20H2 | 0 | 5 | 0 |
| First | 20H2 | 0 | 5 | 2 |
| Fast | 20H2 | 0 | 5 | 2 |
| Broad | 20H2 | 0 | 5 | 2 |
> [!NOTE]
> Customers are not able to select a target version for their tenant.
During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline.
To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods affect devices.
| Policy | Description |
| ----- | ----- |
| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. |
| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
> [!IMPORTANT]
> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management.
## Windows 11 testing
To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11.
> [!IMPORTANT]
> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment.
## Pausing and resuming a release
You can pause or resume a Windows feature update from the Release management tab in the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
## Rollback
Windows Autopatch doesn't support the rollback of feature updates.
## Incidents and outages
If devices in your tenant don't meet the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows.
If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md).

2
windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md
View File

@ -17,8 +17,6 @@ msreviewer: hathind
> [!IMPORTANT]
> Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues.
You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
## Submit a new support request
Support requests are triaged and responded to as they're received.

4
windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
View File

@ -20,8 +20,8 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
| Software update workload | Description |
| ----- | ----- |
| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md).
| Windows quality update | Windows Autopatch uses four deployment rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md). |
| Windows feature update | Windows Autopatch uses four deployment rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-windows-feature-update-overview.md).
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |

19
windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-end-user-exp.md
View File

@ -29,11 +29,11 @@ In this section we'll review what an end user would see in the following three s
### Typical update experience
In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First rings DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
In this example, we'll be discussing a device in the First ring. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
1. Restart immediately to install the updates
1. Schedule the installation, or
1. Snooze (the device will attempt to install outside of active hours.)
1. Restart immediately to install the updates.
2. Schedule the installation.
3. Snooze (the device will attempt to install outside of active hours).
In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
@ -51,7 +51,16 @@ The deadline specified in the update policy is five days. Therefore, once this d
In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
The grace period to install the update and restart depends on the deployment ring the device is assigned to:
| Deployment ring | Grace period (in days) |
| ----- | ----- |
| Test | Zero days |
| First | Two days |
| Fast | Two days |
| Broad | Two days |
The user will be notified of a pending installation and given options to choose from. Once the grace period has expired, the user is forced to restart with a 15-minute warning notification.
:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png":::

108
windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md Normal file
View File

@ -0,0 +1,108 @@
---
title: Windows feature updates
description: This article explains how Windows feature updates are managed in Autopatch
ms.date: 02/07/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: andredm7
---
# Windows feature updates
Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organizations IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
Windows feature updates consist of:
- Keeping Windows devices protected against behavioral issues.
- Providing new features to boost end-user productivity.
Windows Autopatch makes it easier and less expensive for you to keep your Windows devicesup to date so you can focus on running your corebusinesses while Windows Autopatch runs update management on your behalf.
## Enforcing a minimum Windows OS version
Once devices are registered with Windows Autopatch, theyre assigned to deployment rings. Each of the four deployment rings have its Windows feature update policy assigned to them. This is intended to minimize unexpected Windows OS upgrades once new devices register with the service.
The policies:
- Contain the minimum Windows 10 version being currently serviced by the [Windows servicing channels](/windows/release-health/release-information?msclkid=ee885719baa511ecb838e1a689da96d2). The current minimum OS version is **Windows 10 20H2**.
- Set a bare minimum Windows OS version required by the service once devices are registered with the service.
If a device is registered with Windows Autopatch, and the device is:
- Below the service's currently targeted Windows feature update, that device will update to the service's target version when it meets the Windows OS upgrade eligibility criteria.
- On, or above the currently targeted Windows feature update version, there won't be any Windows OS upgrades to that device.
## Windows feature update policy configuration
If your tenant is enrolled with Windows Autopatch, you can see the following policies created by the service in the Microsoft Intune portal:
| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| Windows Autopatch DSS Policy [Test] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM |
| Windows Autopatch DSS Policy [First] | Windows 10 20H2 | Make update available as soon as possible | N/A | N/A | N/A | 5/8/2023, 7:00PM |
| Windows Autopatch DSS Policy [Fast] | Windows 10 20H2 | Make update available as soon as possible | 12/14/2022 | 12/21/2022 | 1 | 5/8/2023, 7:00PM |
| Windows Autopatch DSS Policy [Broad] | Windows 10 20H2 | Make update available as soon as possible | 12/15/2022 | 12/29/2022 | 1 | 5/8/2023, 7:00PM |
> [!IMPORTANT]
> If youre ahead of the current minimum OS version enforced by Windows Autopatch in your organization, you can [edit Windows Autopatchs default Windows feature update policy and select your desired targeted version](/mem/intune/protect/windows-10-feature-updates#create-and-assign-feature-updates-for-windows-10-and-later-policy).
> [!NOTE]
> The four minimum Windows 10 OS version feature update policies were introduced in Windows Autopatch in the 2212 release milestone. Its creation automatically unassigns the previous four feature update policies targeting Windows 10 21H2 from all four Windows Autopatch deployment rings:<ul><li>**Modern Workplace DSS Policy [Test]**</li><li>**Modern Workplace DSS Policy [First]**</li><li>**Modern Workplace DSS Policy [Fast]**</li><li>**Modern Workplace DSS Policy [Broad]**</li><p>Since the new Windows feature update policies that set the minimum Windows 10 OS version are already in place, the Modern Workplace DSS policies can be safely removed from your tenant.</p>
## Test Windows 11 feature updates
You can test Windows 11 deployments by adding devices either through direct membership or by bulk importing them into the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group. Theres a separate Windows feature update policy (**Modern Workplace DSS Policy [Windows 11]**) targeted to this Azure AD group, and its configuration is set as follows:
| Policy name | Feature update version | Rollout options | First deployment ring availability | Final deployment ring availability | Day between deployment rings | Support end date |
| ----- | ----- | ----- | ----- | ----- | ----- | ----- |
| Modern Workplace DSS Policy [Windows 11] | Windows 11 22H2 | Make update available as soon as possible | N/A | N/A | N/A | 10/13/2025, 7:00PM |
> [!IMPORTANT]
> Windows Autopatch neither applies its deployment ring distribution, nor configures the [Windows Update for Business gradual rollout settings](/mem/intune/protect/windows-update-rollout-options) in the **Modern Workplace DSS Policy [Windows 11]** policy.<p>Once devices are added to the **Modern Workplace - Windows 11 Pre-Release Test Devices** Azure AD group, the devices can be offered the Windows 11 22H2 feature update at the same time.</p>
## Manage Windows feature update deployments
Windows Autopatch uses Microsoft Intunes built-in solution, which uses configuration service providers (CSPs), for pausing and resuming both [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release).
Windows Autopatch provides a permanent pause of a Windows feature update deployment. The Windows Autopatch service automatically extends the 35-day pause limit (permanent pause) established by Microsoft Intune on your behalf. The deployment remains permanently paused until you decide to resume it.
## Pausing and resuming a release
> [!CAUTION]
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
> [!IMPORTANT]
> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
**To pause or resume a Windows feature update:**
1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
5. Select the update type you would like to pause or resume.
6. Select a reason from the dropdown menu.
7. Optional. Enter details about why you're pausing or resuming the selected update.
8. If you're resuming an update, you can select one or more deployment rings.
9. Select **Okay**.
If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update.
> [!NOTE]
> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
## Rollback
Windows Autopatch doesnt support the rollback of Windows feature updates.
> [!CAUTION]
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
## Contact support
If youre experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md).

2
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-historical-report.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-historical-report.md
View File

@ -37,4 +37,4 @@ The following options are available:
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).

4
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-all-devices-report.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-all-devices-report.md
View File

@ -38,8 +38,8 @@ The following information is available in the All devices report:
| Azure Active Directory (AD) device ID | The current Azure AD recorded device ID for the device. |
| Serial number | The current Intune recorded serial number for the device. |
| Deployment ring | The currently assigned Windows Autopatch deployment ring for the device. |
| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)). |
| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses)) |
| Update status | The current update status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)). |
| Update sub status | The current update sub status for the device (see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses)) |
| OS version | The current version of Windows installed on the device. |
| OS revision | The current revision of Windows installed on the device. |
| Intune last check in time | The last time the device checked in to Intune. |

12
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-communications.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-communications.md
View File

@ -1,5 +1,5 @@
---
title: Windows quality and feature update communications
title: Windows quality update communications
description: This article explains Windows quality update communications
ms.date: 05/30/2022
ms.prod: windows-client
@ -12,7 +12,7 @@ manager: dougeby
msreviewer: hathind
---
# Windows quality and feature update communications
# Windows quality update communications
There are three categories of communication that are sent out during a Windows quality and feature update:
@ -20,7 +20,11 @@ There are three categories of communication that are sent out during a Windows q
- [Communications during release](#communications-during-release)
- [Incident communications](#incident-communications)
Communications are posted to Message center, Service health dashboard, and the Windows Autopatch messages section of the Microsoft Endpoint Manager admin center as appropriate for the type of communication.
Communications are posted to, as appropriate for the type of communication, to the:
- Message center
- Service health dashboard
- Windows Autopatch messages section of the Microsoft Endpoint Manager admin center
:::image type="content" source="../media/update-communications.png" alt-text="Update communications timeline" lightbox="../media/update-communications.png":::
@ -42,4 +46,4 @@ For example, new threat intelligence may require us to expedite a release, or we
## Incident communications
Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.
Despite the best intentions, every service should plan for failure and success. When there's an incident, timely and transparent communication is key to building and maintaining your trust. If insufficient numbers of devices have been updated to meet the service level objective, devices will experience an interruption to productivity, and an incident will be raised. Microsoft will update the status of the incident at least once every 24 hours.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-eligible-devices-historical-report.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-eligible-devices-historical-report.md
View File

@ -37,4 +37,4 @@ The following options are available:
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).

0
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-end-user-exp.md
View File

2
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-ineligible-devices-historical-report.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md
View File

@ -40,4 +40,4 @@ The following options are available:
| Export | Select **Export devices** at the top of the page to export data from this report into a CSV file. |
| Filter | Select either the **Update status** or **Deployment rings** filters at the top of the report to filter the results. Then, select **Generate trend**. |
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses).
For a description of the displayed device status trends, see [Windows quality update statuses](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses).

45
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
View File

@ -1,7 +1,7 @@
---
title: Windows quality updates
description: This article explains how Windows quality updates are managed in Autopatch
ms.date: 12/15/2022
ms.date: 02/07/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
msreviewer: andredm7
---
# Windows quality updates
@ -30,8 +30,8 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut
| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy-and-other-policy-managers) |
| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md). |
| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](../references/windows-autopatch-windows-update-unsupported-policies.md#group-policy-and-other-policy-managers) |
## Windows quality update releases
@ -88,8 +88,8 @@ By default, the service expedites quality updates as needed. For those organizat
**To turn off service-driven expedited quality updates:**
1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting.
1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting.
> [!NOTE]
> Windows Autopatch doesn't allow customers to request expedited releases.
@ -100,7 +100,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
**To view deployed Out of Band quality updates:**
1. Go to [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
1. Go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
> [!NOTE]
@ -108,17 +108,36 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
### Pausing and resuming a release
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md), we may decide to pause that release.
> [!CAUTION]
> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md).
In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update.
The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft.
There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
> [!IMPORTANT]
> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.<p>For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).</p>
**To pause or resume a Windows quality update:**
1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
5. Select the update type you would like to pause or resume.
6. Select a reason from the dropdown menu.
7. Optional. Enter details about why you're pausing or resuming the selected update.
8. If you're resuming an update, you can select one or more deployment rings.
9. Select **Okay**.
The three following statuses are associated with paused quality updates:
| Status | Description |
| ----- | ------ |
| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. |
| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. |
| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. |
## Remediating Ineligible and/or Not up to Date devices
To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance.
To ensure your devices receive Windows quality updates, Windows Autopatch provides information on how you can remediate [Ineligible Devices (Customer Actions)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action). In addition, the Windows Autopatch service may remediate [Not up to Date devices](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) to bring them back into compliance.

14
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-reports-overview.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-reports-overview.md
View File

@ -26,8 +26,8 @@ The report types are organized into the following focus areas:
| Focus area | Description |
| ----- | ----- |
| Operational detail | <ul><li>[Summary dashboard](windows-autopatch-wqu-summary-dashboard.md): Provides the current update status summary for all devices.</li><li>[All devices report](windows-autopatch-wqu-all-devices-report.md): Provides the current update status of all devices at the device level.</li></ul> |
| Device trends | <ul><li>[All devices report historical](windows-autopatch-wqu-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.</li><li>[Eligible devices report historical](windows-autopatch-wqu-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.</li><li>[Ineligible devices report historical](windows-autopatch-wqu-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices havent received quality updates over the last 90 days.</li></ul> |
| Operational detail | <ul><li>[Summary dashboard](windows-autopatch-windows-quality-update-summary-dashboard.md): Provides the current update status summary for all devices.</li><li>[All devices report](windows-autopatch-windows-quality-update-all-devices-report.md): Provides the current update status of all devices at the device level.</li></ul> |
| Device trends | <ul><li>[All devices report historical](windows-autopatch-windows-quality-update-all-devices-historical-report.md): Provides the update status trend of all devices over the last 90 days.</li><li>[Eligible devices report historical](windows-autopatch-windows-quality-update-eligible-devices-historical-report.md): Provides the update status trend of all eligible devices to receive quality updates over the last 90 days.</li><li>[Ineligible devices report historical](windows-autopatch-windows-quality-update-ineligible-devices-historical-report.md): Provides a trending view of why ineligible devices havent received quality updates over the last 90 days.</li></ul> |
## Who can access the reports?
@ -57,16 +57,16 @@ Healthy devices are devices that meet all of the following prerequisites:
- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
- [Prerequisites for device registration](../deploy/windows-autopatch-register-devices.md#prerequisites-for-device-registration)
- [Windows quality update device eligibility](../operate/windows-autopatch-wqu-overview.md#device-eligibility)
- [Windows quality update device eligibility](../operate/windows-autopatch-windows-quality-update-overview.md#device-eligibility)
> [!NOTE]
> Healthy devices will remain with the **In Progress** status for the 21-day service level objective period. Devices which are **Paused** are also considered healthy.
| Sub status | Description |
| ----- | ----- |
| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). |
| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases). |
| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release). |
| Up to Date | Devices are up to date with the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). |
| In Progress | Devices are currently installing the latest quality update deployed through the [Windows Autopatch release schedule](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases). |
| Paused | Devices that are currently paused due to a Windows Autopatch or customer-initiated Release Management pause. For more information, see [Pausing and resuming a release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). |
### Not Up to Date (Microsoft Action)
@ -76,7 +76,7 @@ Not Up to Date means a device isnt up to date when the:
- Device is more than 21 days overdue from the last release.
> [!NOTE]
> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-wqu-overview.md#service-level-objective).
> Microsoft Action refers to the responsibility of the Windows Autopatch Service Engineering Team to carry out the appropriate action to resolve the reported device state. Windows Autopatch aims to keep at least [95% of eligible devices on the latest Windows quality update 21 days after release](../operate/windows-autopatch-windows-quality-update-overview.md#service-level-objective).
| Sub status | Description |
| ----- | ----- |

4
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-signals.md
View File

@ -24,7 +24,7 @@ Before being released to the Test ring, Windows Autopatch reviews several data s
| Pre-release signal | Description |
| ----- | ----- |
| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-wqu-communications.md#communications-during-release) will be sent out. |
| Windows Payload Review | The contents of the B release are reviewed to help focus your update testing on areas that have changed. If any relevant changes are detected, a [customer advisory](../operate/windows-autopatch-windows-quality-update-communications.md#communications-during-release) will be sent out. |
| C-Release Review - Internal Signals | Windows Autopatch reviews active incidents associated with the previous C release to understand potential risks in the B release. |
| C-Release Review - Social Signals | Windows Autopatch monitors social signals to better understand potential risks associated with the B release. |
@ -56,4 +56,4 @@ Autopatch monitors the following reliability signals:
| Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. |
| Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. |
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can to detect regressions, which are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.
When the update is released to the First ring, the service crosses the 500 device threshold. Therefore, Autopatch can detect regressions that are common to all customers. At this point in the release, we'll decide if we need to change the release schedule or pause for all customers.

2
windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-summary-dashboard.md → windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-summary-dashboard.md
View File

@ -32,7 +32,7 @@ The following information is available in the Summary dashboard:
| Column name | Description |
| ----- | ----- |
| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-wqu-reports-overview.md#windows-quality-update-statuses). |
| Windows quality update status | The device update state. For more information, see [Windows quality update status](windows-autopatch-windows-quality-update-reports-overview.md#windows-quality-update-statuses). |
| Devices | The number of devices showing as applicable for the state. |
## Report options

17
windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
View File

@ -37,7 +37,7 @@ sections:
Windows Autopatch is available for all Windows E3 customers using Azure commercial cloud. However, Autopatch isn't currently supported for government cloud (GCC) customers.
- question: What if I enrolled into Windows Autopatch using the promo code? Will I still have access to the service?
answer: |
Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There is no additional action you have to take to continue using Windows Autopatch.
Yes. For those who used the promo code to access Windows Autopatch during public preview, you'll continue to have access to Windows Autopatch even when the promo code expires. There's no additional action you have to take to continue using Windows Autopatch.
- name: Requirements
questions:
- question: What are the prerequisites for Windows Autopatch?
@ -70,14 +70,14 @@ sections:
No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
answer: |
Cloud PC displays the model as the license type you have provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
Cloud PC displays the model as the license type you've provisioned. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
- question: Can I run Autopatch on my Windows 365 Business Workloads?
answer: |
No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
- question: Can you change the policies and configurations created by Windows Autopatch?
answer: |
No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant).
- name: Update Management
- name: Update management
questions:
- question: What systems does Windows Autopatch update?
answer: |
@ -92,23 +92,26 @@ sections:
- question: What happens if there's an issue with an update?
answer: |
Autopatch relies on the following capabilities to help resolve update issues:
- Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release).
- Pausing and resuming: If Windows Autopatch detects an issue with a Windows quality release, we may decide that it's necessary to pause that release. Once the issue is resolved, the release will be resumed. For more information, see [Pausing and resuming a Windows quality release](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release).
- Rollback: If Windows Autopatch detects issues between versions of Microsoft 365 Apps for enterprise, we might force all devices to roll back to the previous version. For more information, see [Update controls for Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-controls).
- question: Can I permanently pause a Windows feature update deployment?
answer: |
Yes. Windows Autopatch provides a [permanent pause of either a feature update deployment](../operate/windows-autopatch-windows-feature-update-overview.md#pausing-and-resuming-a-release).
- question: Will Windows quality updates be released more quickly after vulnerabilities are identified, or what is the regular cadence of updates?
answer: |
For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-wqu-overview.md#expedited-releases). For normal updates Autopatch uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring.
For zero-day threats, Autopatch will have an [expedited release cadence](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases). For normal updates Autopatch, uses a [regular release cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) starting with devices in the Test ring and completing with general rollout to the Broad ring.
- question: Can customers configure when to move to the next ring or is it controlled by Windows Autopatch?
answer: |
The decision of when to move to the next ring is handled by Windows Autopatch; it isn't customer configurable.
- question: Can you customize the scheduling of an update rollout to only install on certain days and times?
answer: |
No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-windows-quality-update-end-user-exp.md#servicing-window) to prevent users from updating during business hours.
- question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership?
answer: |
Windows Autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings).
- question: Does Autopatch have two release cadences per update or are there two release cadences per-ring?
answer: |
The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly.
The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) would roll out more rapidly.
- name: Support
questions:
- question: What support is available for customers who need help with onboarding to Windows Autopatch?

6
windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
View File

@ -37,8 +37,8 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| Management area | Service level objective |
| ----- | ----- |
| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. |
| [Windows feature updates](../operate/windows-autopatch-fu-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. |
| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. |
| [Windows feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
@ -64,7 +64,7 @@ Microsoft remains committed to the security of your data and the [accessibility]
| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch:<ul><li>[Prerequisites](../prepare/windows-autopatch-prerequisites.md)</li><li>[Configure your network](../prepare/windows-autopatch-configure-network.md)</li><li>[Enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md)</li><li>[Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)</li></ul> |
| Deploy | Once you've enrolled your tenant, this section instructs you to:<ul><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li><li>[Register your devices](../deploy/windows-autopatch-register-devices.md)</li></ul> |
| Operate | This section includes the following information about your day-to-day life with the service:<ul><li>[Update management](../operate/windows-autopatch-update-management.md)</li><li>[Maintain your Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md)</li><li>[Submit a support request](../operate/windows-autopatch-support-request.md)</li><li>[Deregister a device](../operate/windows-autopatch-deregister-devices.md)</li></ul>
| References | This section includes the following articles:<ul><li>[Windows update policies](../operate/windows-autopatch-wqu-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../references/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
| References | This section includes the following articles:<ul><li>[Windows update policies](../references/windows-autopatch-windows-update-unsupported-policies.md)</li><li>[Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md)</li><li>[Privacy](../references/windows-autopatch-privacy.md)</li><li>[Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)</li></ul> |
### Have feedback or would like to start a discussion?

34
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -28,7 +28,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Review the service data platform and privacy compliance details](../references/windows-autopatch-privacy.md) | :heavy_check_mark: | :x: |
| Ensure device [prerequisites](../prepare/windows-autopatch-prerequisites.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Ensure [infrastructure and environment prerequisites](../prepare/windows-autopatch-configure-network.md) are met and in place prior to enrollment | :heavy_check_mark: | :x: |
| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| Prepare to remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Configure required network endpoints](../prepare/windows-autopatch-configure-network.md#required-microsoft-product-endpoints) | :heavy_check_mark: | :x: |
| [Fix issues identified by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) | :heavy_check_mark: | :x: |
| [Enroll tenant into the Windows Autopatch service](../prepare/windows-autopatch-enroll-tenant.md) | :heavy_check_mark: | :x: |
@ -40,8 +40,8 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| ----- | :-----: | :-----: |
| [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md) in Microsoft Endpoint Manager | :heavy_check_mark: | :x: |
| [Deploy and configure Windows Autopatch service configuration](../references/windows-autopatch-changes-to-tenant.md) | :x: | :heavy_check_mark: |
| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-wqu-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-fu-end-user-exp.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| Educate users on the Windows Autopatch end user update experience<ul><li>[Windows quality update end user experience](../operate/windows-autopatch-windows-quality-update-end-user-exp.md)</li><li>[Windows feature update end user experience](../operate/windows-autopatch-windows-feature-update-end-user-exp.md)</li><li>[Microsoft 365 Apps for enterprise end user experience](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#end-user-experience)</li><li>[Microsoft Teams end user experience](../operate/windows-autopatch-teams.md#end-user-experience)</li></ul> | :heavy_check_mark: | :x: |
| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices) | :heavy_check_mark: | :x: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-ready-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
| [Automatically assign devices to First, Fast & Broad deployment rings at device registration](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :x: | :heavy_check_mark: |
@ -61,29 +61,29 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Maintain customer configuration to align with the Windows Autopatch service configuration](../operate/windows-autopatch-maintain-environment.md) | :heavy_check_mark: | :x: |
| [Run on-going checks to ensure devices are only present in one deployment ring](../operate/windows-autopatch-update-management.md#automated-deployment-ring-remediation-functions) | :x: | :heavy_check_mark: |
| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
| Monitor [Windows update signals](../operate/windows-autopatch-wqu-signals.md) for safe update release | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-wqu-signals.md) | :heavy_check_mark: | :x: |
| [Define and implement release schedule](../operate/windows-autopatch-wqu-overview.md) | :x: | :heavy_check_mark: |
| Communicate the update [release schedule](../operate/windows-autopatch-wqu-communications.md) | :x: | :heavy_check_mark: |
| Release updates (as scheduled)<ul><li>[Windows quality updates](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)</li><ul>| :x: | :heavy_check_mark: |
| [Release updates (expedited)](../operate/windows-autopatch-wqu-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
| Monitor [Windows update signals](../operate/windows-autopatch-windows-quality-update-signals.md) for safe update release | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
| [Define and implement release schedule](../operate/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) | :x: | :heavy_check_mark: |
| Release updates (as scheduled)<ul><li>[Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#windows-quality-update-releases)</li><li>[Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#update-release-schedule)</li><li>[Microsoft Edge](../operate/windows-autopatch-edge.md#update-release-schedule)</li><li>[Microsoft Teams](../operate/windows-autopatch-teams.md#update-release-schedule)</li><ul>| :x: | :heavy_check_mark: |
| [Release updates (expedited)](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :x: | :heavy_check_mark: |
| [Deploy updates to devices](../operate/windows-autopatch-update-management.md) | :x: | :heavy_check_mark: |
| Monitor [Windows quality](../operate/windows-autopatch-wqu-overview.md) or [feature updates](../operate/windows-autopatch-fu-overview.md) through the release cycle | :x: | :heavy_check_mark: |
| Review [update reports](../operate/windows-autopatch-wqu-reports-overview.md) | :heavy_check_mark: | :x: |
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-wqu-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-wqu-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: |
| Monitor [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md) or [feature updates](../operate/windows-autopatch-windows-feature-update-overview.md) through the release cycle | :x: | :heavy_check_mark: |
| Review [update reports](../operate/windows-autopatch-windows-quality-update-reports-overview.md) | :heavy_check_mark: | :x: |
| [Pause updates (Windows Autopatch initiated)](../operate/windows-autopatch-windows-quality-update-signals.md) | :x: | :heavy_check_mark: |
| [Pause updates (initiated by you)](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) | :heavy_check_mark: | :x: |
| Run [on-going post-registration device readiness checks](../deploy/windows-autopatch-post-reg-readiness-checks.md) | :x: | :heavy_check_mark: |
| [Remediate devices displayed in the **Not ready** tab](../deploy/windows-autopatch-post-reg-readiness-checks.md#about-the-three-tabs-in-the-devices-blade) | :heavy_check_mark: | :x: |
| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-wqu-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-wqu-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: |
| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-wqu-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: |
| Resolve any conflicting and unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Investigate devices that aren't up to date within the service level objective (Microsoft action)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#not-up-to-date-microsoft-action) | :x: | :heavy_check_mark: |
| [Investigate and remediate devices that are marked as ineligible (Customer action)](../operate/windows-autopatch-windows-quality-update-reports-overview.md#ineligible-devices-customer-action) | :heavy_check_mark: | :x: |
| [Raise, manage and resolve a service incident if an update management area isn't meeting the service level objective](windows-autopatch-overview.md#update-management) | :x: | :heavy_check_mark: |
| [Deregister devices](../operate/windows-autopatch-deregister-devices.md) | :heavy_check_mark: | :x: |
| [Register a device that was previously deregistered (upon customers request)](../operate/windows-autopatch-deregister-devices.md#excluded-devices) | :x: | :heavy_check_mark: |
| [Request unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md) | :heavy_check_mark: | :x: |
| [Remove Windows Autopatch data from the service and deregister devices](../operate/windows-autopatch-unenroll-tenant.md#microsofts-responsibilities-during-unenrollment) | :x: | :heavy_check_mark: |
| [Maintain update configuration & update devices post unenrollment from Windows Autopatch](../operate/windows-autopatch-unenroll-tenant.md#your-responsibilities-after-unenrolling-your-tenant) | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality and feature update communications](../operate/windows-autopatch-wqu-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
| Review and respond to Message Center and Service Health Dashboard notifications<ul><li>[Windows quality and feature update communications](../operate/windows-autopatch-windows-quality-update-communications.md)</li><li>[Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)</li></ul> | :heavy_check_mark: | :x: |
| [Highlight Windows Autopatch Tenant management alerts that require customer action](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :x: | :heavy_check_mark: |
| [Review and respond to Windows Autopatch Tenant management alerts](../operate/windows-autopatch-maintain-environment.md#windows-autopatch-tenant-actions) | :heavy_check_mark: | :x: |
| [Raise and respond to support requests](../operate/windows-autopatch-support-request.md) | :heavy_check_mark: | :x: |

2
windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md
View File

@ -14,7 +14,7 @@ msreviewer: hathind
# Submit a tenant enrollment support request
If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team.
If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool.
> [!NOTE]
> After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md).

6
windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
View File

@ -45,13 +45,13 @@ This setting must be turned on to avoid a "lack of permissions" error when we in
| ----- | ----- |
| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.<p><p>For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). |
### Deployment rings for Windows 10 or later
### Windows 10 and later update rings
Your "Windows 10 deployment ring" policy in Intune must not target any Windows Autopatch devices.
Your "Windows 10 and later update ring" policy in Intune must not target any Windows Autopatch devices.
| Result | Meaning |
| ----- | ----- |
| Not ready | You have an "update ring" policy that targets all devices, all users, or both.<p>To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.</p><p>For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
| Not ready | You have an "update ring" policy that targets all devices, all users, or both.<p>To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices.</p><p>For more information, see [Manage Windows 10 and later software updates in Intune](/mem/intune/protect/windows-update-for-business-configure).</p> |
| Advisory | Both the **Modern Workplace Devices - All** and **Modern Workplace - All** Azure AD groups are groups that we create after you enroll in Windows Autopatch.<p>You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).</p>|
## Azure Active Directory settings

18
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -78,18 +78,18 @@ Windows Autopatch will create Azure Active Directory groups that are required to
## Feature update policies
- Modern Workplace DSS Policy [Test]
- Modern Workplace DSS Policy [First]
- Modern Workplace DSS Policy [Fast]
- Modern Workplace DSS Policy [Broad]
- Modern Workplace DSS Policy [Windows 11]
- Windows Autopatch - DSS Policy [Test]
- Windows Autopatch - DSS Policy [First]
- Windows Autopatch - DSS Policy [Fast]
- Windows Autopatch - DSS Policy [Broad]
- Windows Autopatch - DSS Policy [Windows 11]
| Policy name | Policy description | Value |
| ----- | ----- | ----- |
| Modern Workplace DSS Policy [Test] | DSSpolicyforTest devicegroup | Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ul><br>Exclude from:<ul><li>ModernWorkplace-Windows11Pre-ReleaseTestDevices</li></ul>|
| ModernWorkplaceDSSPolicy[First] | DSSpolicyforFirstdevice group | Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-First</li><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li> |
| ModernWorkplaceDSSPolicy[Fast] | DSSpolicyforFastdevice group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul> |
| ModernWorkplaceDSSPolicy[Broad] | DSSpolicyforBroad devicegroup | Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Broad</li></ul><br>Exclude from:<ul><li>ModernWorkplace-Windows11Pre-ReleaseTestDevices</li></ul>|
| Windows Autopatch - DSS Policy [Test] | DSSpolicyforTest devicegroup | Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ul><br>Exclude from:<ul><li>ModernWorkplace-Windows11Pre-ReleaseTestDevices</li></ul>|
| Windows Autopatch -DSSPolicy[First] | DSSpolicyforFirstdevice group | Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-First</li><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li> |
| Windows Autopatch -DSSPolicy[Fast] | DSSpolicyforFastdevice group | Assigned to:<ul><li>Modern Workplace Devices-Windows Autopatch-Fast</li></ul><br>Exclude from:<ul><li>Modern Workplace - Windows 11 Pre-Release Test Devices</li></ul> |
| Windows Autopatch -Policy[Broad] | DSSpolicyforBroad devicegroup | Assigned to:<ul><li>ModernWorkplaceDevices-WindowsAutopatch-Broad</li></ul><br>Exclude from:<ul><li>ModernWorkplace-Windows11Pre-ReleaseTestDevices</li></ul>|
| ModernWorkplaceDSSPolicy[Windows11] | Windows11DSSpolicy | Assigned to:<ul><li>ModernWorkplace-Windows11Pre-ReleaseTestDevices</li></ul>|
## Microsoft Office update policies

15
windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
View File

@ -1,7 +1,7 @@
---
title: Privacy
description: This article provides details about the data platform and privacy compliance for Autopatch
ms.date: 11/08/2022
ms.date: 02/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -25,7 +25,7 @@ The sources include Azure Active Directory (Azure AD), Microsoft Intune, and Mic
| Data source | Purpose |
| ------ | ------ |
| [Microsoft Windows 10/11 Enterprise](/windows/windows-10/) | Management of device setup experience, managing connections to other services, and operational support for IT pros. |
| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10/11 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
| [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) | Device management and to keep your data secure. The following endpoint management data sources are used:<br><ul><li>[Microsoft Azure Active Directory](/azure/active-directory/): Authentication and identification of all user accounts.</li><li>[Microsoft Intune](/mem/intune/): Distributing device configurations, device management and application management.</li></ul>
| [Windows Autopatch](https://go.microsoft.com/fwlink/?linkid=2109431) | Data provided by the customer or generated by the service during running of the service. |
| [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
@ -53,13 +53,18 @@ Windows Autopatch Service Engineering Team is in the United States, India and Ro
Windows Autopatch uses [Windows 10/11 Enhanced diagnostic data](/windows/privacy/windows-diagnostic-data) to keep Windows secure, up to date, fix problems, and make product improvements.
The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10 diagnostic data setting and data collection.
The enhanced diagnostic data setting includes more detailed information about the devices enrolled in Windows Autopatch and their settings, capabilities, and device health. When enhanced diagnostic data is selected, data, including required diagnostic data, are collected. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection) about the Windows 10/11 diagnostic data setting and data collection.
The diagnostic data terminology will change in future versions of Windows. Windows Autopatch is committed to processing only the data that the service needs. The diagnostic level will change to **Optional**, but Windows Autopatch will implement the limited diagnostic policies to fine-tune diagnostic data collection required for the service. For more information, see [Changes to Windows diagnostic data collection](/windows/privacy/changes-to-windows-diagnostic-data-collection).
Windows Autopatch only processes and stores system-level data from Windows 10 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.
Windows Autopatch only processes and stores system-level data from Windows 10/11 optional diagnostic data that originates from enrolled devices such as application and device reliability, and performance information. Windows Autopatch doesn't process and store customers' data such as chat and browser history, voice, text, or speech data.
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
For more information about the diagnostic data collection of Microsoft Windows 10/11, see the [Where we store and process data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
For more information about how Windows diagnostic data is used, see:
- [Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization#enable-windows-diagnostic-data-processor-configuration)
- [Features that require Windows diagnostic data](/mem/intune/protect/data-enable-windows-data)
## Tenant access

0
windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md → windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies.md
View File

6
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2022.md
View File

@ -24,12 +24,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| Article | Description |
| ----- | ----- |
| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Added information about: <ul><li>Turning off service-driven expedited quality update releases<ul><li>[MC482178](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul></li><li>Viewing deployed out of band releases<ul><li>[MC484915](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul></li></ul> |
| [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md) | Added information about: <ul><li>Turning off service-driven expedited quality update releases<ul><li>[MC482178](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul></li><li>Viewing deployed out of band releases<ul><li>[MC484915](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul></li></ul> |
| [Roles and responsibilities](../overview/windows-autopatch-roles-responsibilities.md) | Added Roles and responsibilities article |
| [Prerequisites](../prepare/windows-autopatch-prerequisites.md) | Added more licenses to the More about licenses section<ul><li>[MC452168](https://admin.microsoft.com/adminportal/home#/MessageCenter) |
| [Unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md) | Updated to include other policy managers in the Group policy section |
| [Unsupported policies](../references/windows-autopatch-windows-update-unsupported-policies.md) | Updated to include other policy managers in the Group policy section |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the Device configuration, Microsoft Office and Edge policies |
| [Windows quality update reports](../operate/windows-autopatch-wqu-reports-overview.md) | Added Windows quality update reports |
| [Windows quality update reports](../operate/windows-autopatch-windows-quality-update-reports-overview.md) | Added Windows quality update reports |
### December service release

15
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 01/09/2023
ms.date: 01/31/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -18,13 +18,24 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## February 2023
### February feature releases or updates
| Article | Description |
| ----- | ----- |
| [Privacy](../references/windows-autopatch-privacy.md) | Added additional resources to the Microsoft Windows 10/11 diagnostic data section |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the Built-in roles required for registration section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
## January 2023
### January feature releases or updates
| Article | Description |
| ----- | ----- |
| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment. |
| [Windows feature update](../operate/windows-autopatch-windows-feature-update-overview.md) | Updated Windows feature update information |
| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment |
| [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |
### January service release

4
windows/security/identity-protection/remote-credential-guard.md
View File

@ -128,7 +128,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on
- Add a new DWORD value named **DisableRestrictedAdmin**.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
- To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0.
3. Close Registry Editor.
@ -189,4 +189,4 @@ mstsc.exe /remoteGuard
- No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own.
- The server and client must authenticate using Kerberos.
- The server and client must authenticate using Kerberos.

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
View File

@ -63,7 +63,7 @@ The following procedures describe the most common tasks performed by using the B
By completing the procedures in this scenario, the recovery passwords for a computer have been viewed and copied and a password ID was used to locate a recovery password.
## Replated articles
## Related articles
- [BitLocker Overview](bitlocker-overview.md)
- [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml)

9
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -222,8 +222,13 @@ sections:
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
additionalContent: |

2
windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
View File

@ -78,7 +78,7 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro
### Countermeasure
Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account.
Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account.
### Potential impact

50
windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
View File

@ -1,6 +1,6 @@
---
title: Using Event Viewer with AppLocker (Windows)
description: This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
description: This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
ms.assetid: 109abb10-78b1-4c29-a576-e5a17dfeb916
ms.reviewer:
ms.author: vinpa
@ -14,7 +14,7 @@ manager: aaroncz
audience: ITPro
ms.topic: conceptual
ms.technology: itpro-security
ms.date: 12/31/2017
ms.date: 02/02/2023
---
# Using Event Viewer with AppLocker
@ -28,41 +28,44 @@ ms.date: 12/31/2017
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic lists AppLocker events and describes how to use Event Viewer with AppLocker.
This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information:
- Which file is affected and the path of that file
- Which packaged app is affected and the package identifier of the app
- Whether the file or packaged app is allowed or blocked
- The rule type (path, file hash, or publisher)
- The rule name
- The security identifier (SID) for the user or group identified in the rule
- Which file is affected and the path of that file
- Which packaged app is affected and the package identifier of the app
- Whether the file or packaged app is allowed or blocked
- The rule type (path, file hash, or publisher)
- The rule name
- The security identifier (SID) for the user or group identified in the rule
Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`).
For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
> [!NOTE]
> The AppLocker event logs are very verbose and can result in a large number of events depending on the policies deployed, particularly in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether.
**To review the AppLocker log in Event Viewer**
1. Open Event Viewer.
2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, click **AppLocker**.
1. Open Event Viewer.
2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
| Event ID | Level | Event message | Description |
| - | - | - | - |
| 8000 | Error| Application Identity Policy conversion failed. Status *&lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| --- | --- | --- | --- |
| 8000 | Error| Application Identity Policy conversion failed. Status * &lt;%1&gt; *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
| 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.|
| 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.|
| 8002 | Information| *&lt;File name&gt; * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
| 8003 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8004 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.|
| 8005| Information| *&lt;File name&gt; * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
| 8006 | Warning| *&lt;File name&gt; * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
| 8007 | Error| *&lt;File name&gt; * was not allowed to run.| Access to *&lt;file name&gt;* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.|
| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.|
| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.|
@ -83,8 +86,7 @@ The following table contains information about the events that you can use to de
| 8040 | Error | Package family name * version * was prevented from installing or updating due to Config CI policy | Added in Windows Server 2016 and Windows 10.|
## Related topics
## Related articles
- [Tools to use with AppLocker](tools-to-use-with-applocker.md)

5
windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
View File

@ -13,7 +13,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: vinpa
manager: aaroncz
ms.date: 08/26/2022
ms.date: 02/02/2023
ms.technology: itpro-security
ms.topic: article
---
@ -62,6 +62,9 @@ To turn on managed installer tracking, you must:
- Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs.
- Enable AppLocker's Application Identity and AppLockerFltr services.
> [!NOTE]
> The managed installer AppLocker policy below is designed to be safely merged with any pre-existing AppLocker policies and won't change the behavior of those policies. However, if applied on a device that doesn't currently have any AppLocker policy, you will see a large increase in warning events generated in the *AppLocker - EXE and DLL* event log. If you're using an event forwarding and collection service, like LogAnalytics, you may want to adjust the configuration for that event log to only collect Error events or stop collecting events from that log altogether.
> [!NOTE]
> MEMCM will automatically configure itself as a managed installer, and enable the required AppLocker components, if you deploy one of its inbox WDAC policies. If you are configuring MEMCM as a managed installer using any other method, additional setup is required. Use the [**ManagedInstaller** cmdline switch in your ccmsetup.exe setup](/mem/configmgr/core/clients/deploy/about-client-installation-properties#managedinstaller). Or you can deploy one of the MEMCM inbox audit mode policies alongside your custom policy.

13
windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
View File

@ -9,7 +9,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
ms.date: 11/02/2022
ms.date: 02/02/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@ -26,14 +26,19 @@ ms.localizationpriority: medium
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
> [!IMPORTANT]
> Option **11 Disabled:Script Enforcement** is not supported on **Windows Server 2016** and should not be used on that platform. Doing so may result in unexpected script enforcement behaviors.
## Script enforcement overview
By default, script enforcement is enabled for all WDAC policies unless the option **11 Disabled:Script Enforcement** is set in the policy. WDAC script enforcement involves a handshake between an enlightened script host, such as PowerShell, and WDAC. The actual enforcement behavior, however, is handled entirely by the script host. Some script hosts, like the Microsoft HTML Application Host (mshta.exe), simply block all code execution if any WDAC UMCI policy is active. Most script hosts first ask WDAC whether a script should be allowed to run based on the WDAC policies currently active. The script host then either blocks, allows, or changes *how* the script is run to best protect the user and the device.
Validation for signed scripts is done using the [WinVerifyTrust API](/windows/win32/api/wintrust/nf-wintrust-winverifytrust). To pass validation, the signature root must be present in the trusted root store on the device and be allowed by your WDAC policy. This behavior is different from WDAC validation for executable files, which doesn't require installation of the root certificate.
WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log).
> [!IMPORTANT]
> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
> [!NOTE]
> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
>
> Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly.
@ -43,7 +48,7 @@ WDAC shares the *AppLocker - MSI and Script* event log for all script enforcemen
All PowerShell scripts (.ps1), modules (.psm1), and manifests (.psd1) must be allowed by WDAC policy in order to run with Full Language rights.
Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that do not specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load.
Any **dependent modules** that are loaded by an allowed module must also be allowed by WDAC policy, and module functions must be exported explicitly by name when WDAC is enforced. Modules that don't specify any exported functions (no export name list) will still load but no module functions will be accessible. Modules that use wildcards (\*) in their name will fail to load.
Any PowerShell script that isn't allowed by WDAC policy will still run, but only in Constrained Language Mode.

7
windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
View File

@ -9,7 +9,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: aaroncz
ms.date: 07/01/2022
ms.date: 02/02/2023
ms.technology: itpro-security
ms.topic: article
ms.localizationpriority: medium
@ -19,7 +19,6 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
@ -27,11 +26,11 @@ ms.localizationpriority: medium
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
This article covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
## Managed Installer and ISG will cause garrulous events
When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. These events have been moved to the verbose channel beginning with the September 2022 Update Preview since the events don't indicate an issue with the policy.
## .NET native images may generate false positive block events

16
windows/whats-new/whats-new-windows-10-version-1809.md
View File

@ -3,14 +3,14 @@ title: What's new in Windows 10, version 1809
ms.reviewer:
description: Learn about features for Windows 10, version 1809, including features and fixes included in previous cumulative updates to Windows 10, version 1803.
ms.prod: windows-client
author: aczechowski
manager: dougeby
ms.author: aaroncz
author: mestew
manager: aaroncz
ms.author: mstewart
ms.localizationpriority: medium
ms.topic: article
ROBOTS: NOINDEX
ms.technology: itpro-fundamentals
ms.date: 12/31/2017
ms.date: 01/31/2023
---
# What's new in Windows 10, version 1809 for IT Pros
@ -19,12 +19,14 @@ ms.date: 12/31/2017
In this article, we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803.
<!---
The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
&nbsp;
> [!video https://www.youtube.com/embed/hAva4B-wsVA]
--->
## Deployment
### Windows Autopilot self-deploying mode
@ -68,7 +70,7 @@ This new functionality is an update to the [BitLocker CSP](/windows/client-manag
This feature will soon be enabled on Olympia Corp as an optional feature.
#### Delivering BitLocker policy to AutoPilot devices during OOBE
#### Delivering BitLocker policy to Autopilot devices during OOBE
You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This option allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins.