deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into pm-20220912-WinSE-documentation

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-09-20 13:06:56 -04:00 committed by GitHub
commit 9805b1aa67
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
86 changed files with 5389 additions and 1863 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.openpublishing.redirection.json
View File

@ -19647,7 +19647,12 @@
},
{
"source_path": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md",
"redirect_url": "windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md",
"redirect_url": "/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust",
"redirect_document_id": false
},
{
"source_path": "windows/configuration/windows-10-accessibility-for-ITPros.md",
"redirect_url": "/windows/configuration/windows-accessibility-for-ITPros",
"redirect_document_id": false
}
]

16
education/windows/TOC.yml
View File

@ -26,18 +26,22 @@ items:
href: set-up-school-pcs-shared-pc-mode.md
- name: Windows 10 configuration recommendations for education customers
href: configure-windows-for-education.md
- name: Take tests and assessments in Windows
href: take-tests-in-windows-10.md
- name: How-to-guides
items:
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- name: Take tests and assessments in Windows
items:
- name: Overview
href: take-tests-in-windows-10.md
- name: Configure education features
items:
- name: Configure education themes
href: edu-themes.md
- name: Configure Stickers
href: edu-stickers.md
- name: Configure Take a Test on a single PC
href: take-a-test-single-pc.md
- name: Configure a Test on multiple PCs
href: take-a-test-multiple-pcs.md
- name: Use the Set up School PCs app
href: use-set-up-school-pcs-app.md
- name: Change Windows edition
items:
- name: Switch to Windows 10 Pro Education in S mode from Windows 10 Pro in S mode

77
education/windows/edu-stickers.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Configure Stickers for Windows 11 SE
description: Description of the Stickers feature and how to configure it via Intune and provisioning package.
ms.date: 09/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 11 SE, version 22H2</b>
---
# Configure Stickers for Windows 11 SE
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
:::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
Stickers are simple to use, and give students an easy way to express themselves by decorating their desktop, helping to make learning fun.
## Benefits of Stickers
When students feel like they can express themselves at school, they pay more attention and learn, which benefits students, teachers, and the school community. Self-expression is critical to well-being and success at school. Customizing a device is one way to express a personal brand.
With Stickers, students feel more attached to the device as they feel as if it's their own, they take better care of it, and it's more likely to last.
## Enable Stickers
Stickers aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To enable Stickers using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
Assign the policy to a security group that contains as members the devices or users that you want to enable Stickers on.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure Stickers using a provisioning package, use the following settings:
| Setting |
|--------|
| <li> Path: **`Education/AllowStickers`** </li><li>Value: **True**</li>|
Apply the provisioning package to the devices that you want to enable Stickers on.
---
## How to use Stickers
Once the Stickers feature is enabled, the sticker editor can be opened by either:
- using the contextual menu on the desktop and selecting the option **Add or edit stickers**
- opening the Settings app > **Personalization** > **Background** > **Add stickers**
:::image type="content" source="./images/win-11-se-stickers-menu.png" alt-text="Windows 11 SE desktop contextual menu to open the sticker editor" border="true":::
Multiple stickers can be added from the picker by selecting them. The stickers can be resized, positioned or deleted from the desktop by using the mouse, keyboard, or touch.
:::image type="content" source="./images/win-11-se-stickers-animation.gif" alt-text="animation showing Windows 11 SE desktop with 4 pirate stickers being resized and moved" border="true":::
Select the *X button* at the top of the screen to save your progress and close the sticker editor.
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

64
education/windows/edu-themes.md Normal file
View File

@ -0,0 +1,64 @@
---
title: Configure education themes for Windows 11
description: Description of education themes for Windows 11 and how to configure them via Intune and provisioning package.
ms.date: 09/15/2022
ms.prod: windows
ms.technology: windows
ms.topic: how-to
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: education
appliesto:
- ✅ <b>Windows 11, version 22H2</b>
- ✅ <b>Windows 11 SE, version 22H2</b>
---
# Configure education themes for Windows 11
Starting in **Windows 11, version 22H2**, you can deploy education themes to your devices. The education themes are designed for students using devices in a school.
:::image type="content" source="./images/win-11-se-themes-1.png" alt-text="Windows 11 desktop with 3 stickers" border="true":::
Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings.
Students can choose their own themes, making it feel the device is their own. When students feel more ownership over their device, they tend to take better care of it. This is great news for schools looking to give that same device to a new student the next year.
## Enable education themes
Education themes aren't enabled by default. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To enable education themes using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/EnableEduThemes`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
Assign the policy to a security group that contains as members the devices or users that you want to enable education themes on.
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure education themes using a provisioning package, use the following settings:
| Setting |
|--------|
| <li> Path: **`Education/EnableEduThemes`** </li><li>Value: **True**</li>|
Apply the provisioning package to the devices that you want to enable education themes on.
---
## How to use the education themes
Once the education themes are enabled, the device will download them as soon as a user signs in to the device.
To change the theme, select **Settings** > **Personalization** > **Themes** > **Select a theme**
:::image type="content" source="./images/win-11-se-themes.png" alt-text="Windows 11 education themes selection" border="true":::
-----------
[MEM-1]: /mem/intune/configuration/custom-settings-windows-10

3
education/windows/images/icons/accessibility.svg Normal file
View File

@ -0,0 +1,3 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

3
education/windows/images/icons/group-policy.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
<path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

24
education/windows/images/icons/intune.svg Normal file
View File

@ -0,0 +1,24 @@
<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#0078d4" />
<stop offset="0.82" stop-color="#5ea0ef" />
</linearGradient>
<linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#1490df" />
<stop offset="0.98" stop-color="#1f56a3" />
</linearGradient>
<linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#d2ebff" />
<stop offset="1" stop-color="#f0fffd" />
</linearGradient>
</defs>
<title>Icon-intune-329</title>
<rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
<rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
<path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
<path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
<rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
<circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
<path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

20
education/windows/images/icons/powershell.svg Normal file
View File

@ -0,0 +1,20 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#32bedd" />
<stop offset="0.175" stop-color="#32caea" />
<stop offset="0.41" stop-color="#32d2f2" />
<stop offset="0.775" stop-color="#32d4f5" />
</linearGradient>
</defs>
<title>MsPortalFx.base.images-10</title>
<g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
<g>
<path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
<path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
<path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
<path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
<rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

3
education/windows/images/icons/provisioning-package.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
<path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

22
education/windows/images/icons/registry.svg Normal file
View File

@ -0,0 +1,22 @@
<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#76bc2d" />
<stop offset="0.32" stop-color="#73b82c" />
<stop offset="0.65" stop-color="#6cab29" />
<stop offset="0.99" stop-color="#5e9724" />
<stop offset="1" stop-color="#5e9624" />
</linearGradient>
<linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#0078d4" />
<stop offset="0.17" stop-color="#1c84dc" />
<stop offset="0.38" stop-color="#3990e4" />
<stop offset="0.59" stop-color="#4d99ea" />
<stop offset="0.8" stop-color="#5a9eee" />
<stop offset="1" stop-color="#5ea0ef" />
</linearGradient>
</defs>
<title>Icon-general-18</title>
<path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
<rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

3
education/windows/images/icons/windows-os.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
<path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 215 B

BIN
education/windows/images/win-11-se-stickers-animation.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.8 MiB

BIN
education/windows/images/win-11-se-stickers-menu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 357 KiB

BIN
education/windows/images/win-11-se-stickers-picker.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 433 KiB

BIN
education/windows/images/win-11-se-stickers.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 548 KiB

BIN
education/windows/images/win-11-se-themes-1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 668 KiB

BIN
education/windows/images/win-11-se-themes.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 300 KiB

8
education/windows/index.yml
View File

@ -47,11 +47,17 @@ landingContent:
url: windows-11-se-overview.md
- text: Windows 11 SE settings
url: windows-11-se-settings-list.md
- linkListType: whats-new
links:
- text: Configure education themes
url: edu-themes.md
- text: Configure Stickers
url: edu-stickers.md
- linkListType: video
links:
- text: Deploy Windows 11 SE using Set up School PCs
url: https://www.youtube.com/watch?v=Ql2fbiOop7c
- title: Deploy devices with Set up School PCs
linkLists:

107
windows/client-management/mdm/devicestatus-csp.md
View File

@ -1,7 +1,7 @@
---
title: DeviceStatus CSP
description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -71,12 +71,14 @@ DeviceStatus
--------VirtualizationBasedSecurityHwReq
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
----CertAttestation
--------MDMClientCertAttestation
```
<a href="" id="devicestatus"></a>**DeviceStatus**
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
- 0 - Not supported
@ -85,67 +87,67 @@ Indicates whether secure boot is enabled. The value is one of the following valu
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities"></a>**DeviceStatus/CellularIdentities**
<a href="" id="devicestatus-cellularidentities"></a>**DeviceStatus/CellularIdentities**
Required. Node for queries on the SIM cards.
>[!NOTE]
>Multiple SIMs are supported.
<a href="" id="devicestatus-cellularidentities-imei"></a>**DeviceStatus/CellularIdentities/**<strong>*IMEI*</strong>
<a href="" id="devicestatus-cellularidentities-imei"></a>**DeviceStatus/CellularIdentities/**<strong>*IMEI*</strong>
The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device.
<a href="" id="devicestatus-cellularidentities-imei-imsi"></a>**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
<a href="" id="devicestatus-cellularidentities-imei-imsi"></a>**DeviceStatus/CellularIdentities/*IMEI*/IMSI**
The International Mobile Subscriber Identity (IMSI) associated with the IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-iccid"></a>**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
<a href="" id="devicestatus-cellularidentities-imei-iccid"></a>**DeviceStatus/CellularIdentities/*IMEI*/ICCID**
The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-phonenumber"></a>**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
<a href="" id="devicestatus-cellularidentities-imei-phonenumber"></a>**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber**
Phone number associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-commercializationoperator"></a>**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
<a href="" id="devicestatus-cellularidentities-imei-commercializationoperator"></a>**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator**
The mobile service provider or mobile operator associated with the specific IMEI number.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-roamingstatus"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
<a href="" id="devicestatus-cellularidentities-imei-roamingstatus"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus**
Indicates whether the SIM card associated with the specific IMEI number is roaming.
Supported operation is Get.
<a href="" id="devicestatus-cellularidentities-imei-roamingcompliance"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
<a href="" id="devicestatus-cellularidentities-imei-roamingcompliance"></a>**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance**
Boolean value that indicates compliance with the enforced enterprise roaming policy.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers"></a>**DeviceStatus/NetworkIdentifiers**
<a href="" id="devicestatus-networkidentifiers"></a>**DeviceStatus/NetworkIdentifiers**
Node for queries on network and device properties.
<a href="" id="devicestatus-networkidentifiers-macaddress"></a>**DeviceStatus/NetworkIdentifiers/**<strong>*MacAddress*</strong>
<a href="" id="devicestatus-networkidentifiers-macaddress"></a>**DeviceStatus/NetworkIdentifiers/**<strong>*MacAddress*</strong>
MAC address of the wireless network card. A MAC address is present for each network card on the device.
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv4"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv4"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4**
IPv4 address of the network card associated with the MAC address.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv6"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
<a href="" id="devicestatus-networkidentifiers-macaddress-ipaddressv6"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6**
IPv6 address of the network card associated with the MAC address.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-isconnected"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
<a href="" id="devicestatus-networkidentifiers-macaddress-isconnected"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected**
Boolean value that indicates whether the network card associated with the MAC address has an active network connection.
Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
- 2 - WLAN (or other Wireless interface)
@ -154,10 +156,10 @@ Type of network connection. The value is one of the following values:
Supported operation is Get.
<a href="" id="devicestatus-compliance"></a>**DeviceStatus/Compliance**
<a href="" id="devicestatus-compliance"></a>**DeviceStatus/Compliance**
Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
- 0 - Not encrypted
@ -165,42 +167,42 @@ Boolean value that indicates compliance with the enterprise encryption policy fo
Supported operation is Get.
<a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**
<a href="" id="devicestatus-tpm"></a>**DeviceStatus/TPM**
Added in Windows, version 1607. Node for the TPM query.
Supported operation is Get.
<a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**
<a href="" id="devicestatus-tpm-specificationversion"></a>**DeviceStatus/TPM/SpecificationVersion**
Added in Windows, version 1607. String that specifies the specification version.
Supported operation is Get.
<a href="" id="devicestatus-os"></a>**DeviceStatus/OS**
<a href="" id="devicestatus-os"></a>**DeviceStatus/OS**
Added in Windows, version 1607. Node for the OS query.
Supported operation is Get.
<a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**
<a href="" id="devicestatus-os-edition"></a>**DeviceStatus/OS/Edition**
Added in Windows, version 1607. String that specifies the OS edition.
Supported operation is Get.
<a href="" id="devicestatus-os-mode"></a>**DeviceStatus/OS/Mode**
<a href="" id="devicestatus-os-mode"></a>**DeviceStatus/OS/Mode**
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
Valid values:
- 0 - The device is in standard configuration.
- 1 - The device is in S mode configuration.
Supported operation is Get.
<a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**
<a href="" id="devicestatus-antivirus"></a>**DeviceStatus/Antivirus**
Added in Windows, version 1607. Node for the antivirus query.
Supported operation is Get.
<a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**
<a href="" id="devicestatus-antivirus-signaturestatus"></a>**DeviceStatus/Antivirus/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antivirus signature.
Valid values:
@ -218,7 +220,7 @@ If more than one antivirus provider is active, this node returns:
This node also returns 0 when no antivirus provider is active.
<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
Added in Windows, version 1607. Integer that specifies the status of the antivirus.
Valid values:
@ -231,12 +233,12 @@ Valid values:
Supported operation is Get.
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
@ -254,7 +256,7 @@ If more than one anti-spyware provider is active, this node returns:
This node also returns 0 when no anti-spyware provider is active.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@ -266,12 +268,12 @@ Valid values:
Supported operation is Get.
<a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**
<a href="" id="devicestatus-firewall"></a>**DeviceStatus/Firewall**
Added in Windows, version 1607. Node for the firewall query.
Supported operation is Get.
<a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**
<a href="" id="devicestatus-firewall-status"></a>**DeviceStatus/Firewall/Status**
Added in Windows, version 1607. Integer that specifies the status of the firewall.
Valid values:
@ -284,75 +286,75 @@ Valid values:
Supported operation is Get.
<a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**
<a href="" id="devicestatus-uac"></a>**DeviceStatus/UAC**
Added in Windows, version 1607. Node for the UAC query.
Supported operation is Get.
<a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**
<a href="" id="devicestatus-uac-status"></a>**DeviceStatus/UAC/Status**
Added in Windows, version 1607. Integer that specifies the status of the UAC.
Supported operation is Get.
<a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**
<a href="" id="devicestatus-battery"></a>**DeviceStatus/Battery**
Added in Windows, version 1607. Node for the battery query.
Supported operation is Get.
<a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**
<a href="" id="devicestatus-battery-status"></a>**DeviceStatus/Battery/Status**
Added in Windows, version 1607. Integer that specifies the status of the battery
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
<a href="" id="devicestatus-battery-estimatedchargeremaining"></a>**DeviceStatus/Battery/EstimatedChargeRemaining**
Added in Windows, version 1607. Integer that specifies the estimated battery charge remaining. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
<a href="" id="devicestatus-battery-estimatedruntime"></a>**DeviceStatus/Battery/EstimatedRuntime**
Added in Windows, version 1607. Integer that specifies the estimated runtime of the battery. This value is the one that is returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](/windows/win32/api/winbase/ns-winbase-system_power_status).
The value is the number of seconds of battery life remaining when the device isn't connected to an AC power source. When it's connected to a power source, the value is -1. When the estimation is unknown, the value is -1.
Supported operation is Get.
<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**
<a href="" id="devicestatus-domainname"></a>**DeviceStatus/DomainName**
Added in Windows, version 1709. Returns the fully qualified domain name of the device (if any). If the device isn't domain-joined, it returns an empty string.
Supported operation is Get.
<a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**
<a href="" id="devicestatus-deviceguard"></a>**DeviceStatus/DeviceGuard**
Added in Windows, version 1709. Node for Device Guard query.
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecurityhwreq"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq**
Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask.
- 0x0: System meets hardware configuration requirements
- 0x1: SecureBoot required
- 0x1: SecureBoot required
- 0x2: DMA Protection required
- 0x4: HyperV not supported for Guest VM
- 0x8: HyperV feature isn't available
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
- 0 - Running
- 1 - Reboot required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 1 - Reboot required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
<a href="" id="devicestatus-deviceguard-lsacfgcredguardstatus"></a>**DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus**
Added in Windows, version 1709. Local System Authority (LSA) credential guard status.
- 0 - Running
@ -363,6 +365,11 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
Supported operation is Get.
<a href="" id="devicestatus-certattestation-mdmclientcertattestation"></a>**DeviceStatus/CertAttestation/MDMClientCertAttestation**
Added in Windows 11, version 22H2. MDM Certificate attestation information. This will return an XML blob containing the relevant attestation fields.
Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

1566
windows/client-management/mdm/devicestatus-ddf.md
View File

File diff suppressed because it is too large Load Diff

8
windows/client-management/mdm/euiccs-csp.md
View File

@ -40,6 +40,7 @@ eUICCs
------------ServerName
----------------DiscoveryState
----------------AutoEnable
----------------IsDiscoveryServer
--------Profiles
------------ICCID
----------------ServerName
@ -112,6 +113,13 @@ Supported operations are Add, Get, and Replace.
Value type is bool.
<a href="" id="euicc-downloadservers-servername-isdiscoveryserver"></a>**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**
Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created.
Supported operations are Add, Get, and Replace.
Value type is bool. Default value is false.
<a href="" id="euicc-profiles"></a>**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.

24
windows/client-management/mdm/euiccs-ddf-file.md
View File

@ -247,6 +247,30 @@ The XML below if for Windows 10, version 1803.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IsDiscoveryServer</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Indicates whether the server is a discovery server. Optional, default value is false.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>

146
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

File diff suppressed because one or more lines are too long

47
windows/client-management/mdm/personaldataencryption-csp.md Normal file
View File

@ -0,0 +1,47 @@
---
title: PersonalDataEncryption CSP
description: Learn how the PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/12/2022
ms.reviewer:
manager: dansimp
ms.collection: highpri
---
# PersonalDataEncryption CSP
The PersonalDataEncryption configuration service provider (CSP) is used by the enterprise to protect data confidentiality of PCs and devices. This CSP was added in Windows 11, version 22H2.
The following shows the PersonalDataEncryption configuration service provider in tree format:
```
./User/Vendor/MSFT/PDE
-- EnablePersonalDataEncryption
-- Status
-------- PersonalDataEncryptionStatus
```
**EnablePersonalDataEncryption**:
- 0 is default (disabled)
- 1 (enabled) will make Personal Data Encryption (PDE) public API available to applications for the user: [UserDataProtectionManager Class](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
The public API allows the applications running as the user to encrypt data as soon as this policy is enabled. However, prerequisites must be met for the PDE to be enabled.
**Status/PersonalDataEncryptionStatus**: Reports the current status of Personal Data Encryption (PDE) for the user. If prerequisites of PDE aren't met, then the status will be 0. If all prerequisites are met for PDE, then PDE will be enabled and status will be 1.
> [!Note]
> The policy is only applicable on Enterprise and Education SKUs.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|

127
windows/client-management/mdm/personaldataencryption-ddf-file.md Normal file
View File

@ -0,0 +1,127 @@
---
title: PersonalDataEncryption DDF file
description: Learn about the OMA DM device description framework (DDF) for the PersonalDataEncryption configuration service provider.
ms.author: v-nsatapathy
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nimishasatapathy
ms.localizationpriority: medium
ms.date: 09/10/2022
ms.reviewer:
manager: dansimp
---
# PersonalDataEncryption DDF file
This topic shows the OMA DM device description framework (DDF) for the **PersonalDataEncryption** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>PDE</NodeName>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>EnablePersonalDataEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to enable Personal Data Encryption. Set to '1' to set this policy.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME />
</DFType>
<MSFT:AllowedValues ValueType="ENUM">
<MSFT:Enum>
<MSFT:Value>0</MSFT:Value>
<MSFT:ValueDescription>Disable Personal Data Encryption.</MSFT:ValueDescription>
</MSFT:Enum>
<MSFT:Enum>
<MSFT:Value>1</MSFT:Value>
<MSFT:ValueDescription>Enable Personal Data Encryption.</MSFT:ValueDescription>
</MSFT:Enum>
</MSFT:AllowedValues>
</DFProperties>
</Node>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName />
</DFType>
</DFProperties>
<Node>
<NodeName>PersonalDataEncryptionStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This node reports the current state of Personal Data Encryption for a user. '0' means disabled. '1' means enabled.</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```

10
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -1559,6 +1559,16 @@ ms.date: 10/08/2020
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources)
- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller)
- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles)
- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride)
- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource)
- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol)
- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings)
- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources)
- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures)
- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids)
- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses)
- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork)

118
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -5173,6 +5173,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### ADMX_WindowsRemoteManagement policies
<dl>
@ -6303,6 +6304,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### DesktopAppInstaller policies
<dl>
<dd>
<a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources" id="desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller"id="desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#desktopappinstaller-enabledefaultsource"id="desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablelocalmanifestfiles"id="desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablehashoverride"id="desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablemicrosoftstoresource"id="desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablemsappinstallerprotocol"id="desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enablesettings"id="desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enableallowedsources"id="desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-enableexperimentalfeatures"id="desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
</dd>
<dd>
<a href="/policy-csp-desktopappinstaller.md#DesktopAppInstaller-sourceautoupdateinterval"id="desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
</dd>
</dl>
### DeviceGuard policies
<dl>
@ -6550,6 +6588,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-experience.md#experience-allowsyncmysettings" id="experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
<dd>
<a href="./policy-csp-experience.md#experience-allowspotlightcollection" id="experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
</dd>
<dd>
<a href="./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata" id="experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
</dd>
@ -7895,6 +7936,42 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
### Printers policies
<dl>
<dd>
<a href="./policy-csp-printers.md#printers-approvedusbprintdevices" id="printers-approvedusbprintdevices">Printers/ApprovedUsbPrintDevices</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-approvedusbprintdevicesuser" id="printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurecopyfilespolicy" id="printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configuredrivervalidationlevel" id="printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configureipppagecountspolicy" id="printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configureredirectionguardpolicy" id="printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurerpcconnectionpolicy" id="printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurerpclistenerpolicy" id="printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-configurerpctcpport" id="printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-enabledevicecontrol" id="printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-enabledevicecontroluser" id="printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-managedriverexclusionlist" id="printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-pointandprintrestrictions" id="printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
@ -7904,6 +7981,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-printers.md#printers-publishprinters" id="printers-publishprinters">Printers/PublishPrinters</a>
</dd>
<dd>
<a href="./policy-csp-printers.md#printers-restrictdriverinstallationtoadministrators" id="printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
</dd>
</dl>
### Privacy policies
@ -8360,6 +8440,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-search.md#search-disableremovabledriveindexing" id="search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-disablesearch" id="search-disablesearch">Search/DisableSearch</a>
</dd>
<dd>
<a href="./policy-csp-search.md#search-donotusewebresults" id="search-donotusewebresults">Search/DoNotUseWebResults</a>
</dd>
@ -8514,6 +8597,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-disablecontextmenus" id="start-disablecontextmenus">Start/DisableContextMenus</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-disablecontrolcenter" id="start-disablecontrolcenter">Start/DisableControlCenter</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-disableeditingquicksettings" id="start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-forcestartsize" id="start-forcestartsize">Start/ForceStartSize</a>
@ -8545,6 +8634,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-hiderecentlyaddedapps" id="start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hiderecommendedsection" id="start-hiderecommendedsection">Start/HideRecommendedSection</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hiderestart" id="start-hiderestart">Start/HideRestart</a>
</dd>
@ -8560,6 +8652,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-hideswitchaccount" id="start-hideswitchaccount">Start/HideSwitchAccount</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hidetaskviewbutton" id="start-hidetaskviewbutton">Start/HideTaskViewButton</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-hideusertile" id="start-hideusertile">Start/HideUserTile</a>
</dd>
@ -8569,6 +8664,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-start.md#start-nopinningtotaskbar" id="start-nopinningtotaskbar">Start/NoPinningToTaskbar</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-simplifyquicksettings" id="start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
</dd>
<dd>
<a href="./policy-csp-start.md#start-startlayout" id="start-startlayout">Start/StartLayout</a>
</dd>
@ -9166,6 +9264,23 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
</dd>
</dl>
### WebThreatDefense policies
<dl>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-enableservice" id="webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
</dd>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifymalicious" id="webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
</dd>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifypasswordreuse" id="webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
</dd>
<dd>
<a href="./policy-csp-webthreatdefense.md#webthreatdefense-notifyunsafeapp" id="webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
</dd>
</dl>
### Wifi policies
<dl>
@ -9308,6 +9423,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC</a>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" id="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enablemprnotifications" id="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers" id="windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>

595
windows/client-management/mdm/policy-csp-desktopappinstaller.md Normal file
View File

@ -0,0 +1,595 @@
---
title: Policy CSP - DesktopAppInstaller
description: Learn about the Policy CSP - DesktopAppInstaller.
ms.author: v-aljupudi
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: alekyaj
ms.date: 08/24/2022
ms.reviewer:
manager: aaroncz
---
# Policy CSP - DesktopAppInstaller
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policies-->
## DesktopAppInstaller policies
<dl>
<dd>
<a href="#desktopappinstaller-enableadditionalsources">DesktopAppInstaller/EnableAdditionalSources</a>
</dd>
<dd>
<a href="#desktopappinstaller-enableappinstaller">DesktopAppInstaller/EnableAppInstaller</a>
</dd>
<dd>
<a href="#desktopappinstaller-enabledefaultsource">DesktopAppInstaller/EnableDefaultSource</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablelocalmanifestfiles">DesktopAppInstaller/EnableLocalManifestFiles</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablehashoverride">DesktopAppInstaller/EnableHashOverride</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablemicrosoftstoresource">DesktopAppInstaller/EnableMicrosoftStoreSource</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablemsappinstallerprotocol">DesktopAppInstaller/EnableMSAppInstallerProtocol</a>
</dd>
<dd>
<a href="#desktopappinstaller-enablesettings">DesktopAppInstaller/EnableSettings</a>
</dd>
<dd>
<a href="#desktopappinstaller-enableallowedsources">DesktopAppInstaller/EnableAllowedSources</a>
</dd>
<dd>
<a href="#desktopappinstaller-enableexperimentalfeatures">DesktopAppInstaller/EnableExperimentalFeatures</a>
</dd>
<dd>
<a href="#desktopappinstaller-sourceautoupdateinterval">DesktopAppInstaller/SourceAutoUpdateInterval</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableadditionalsources"></a>**DesktopAppInstaller/EnableAdditionalSources**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/).
If you don't configure this setting, no additional sources will be configured for Windows Package Manager.
If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/).
If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Additional Windows Package Manager Sources*
- GP name: *EnableAdditionalSources*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableappinstaller"></a>**DesktopAppInstaller/EnableAppInstaller**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy.
- If you enable or don't configure this setting, users will be able to use the Windows Package Manager.
- If you disable this setting, users won't be able to use the Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users*
- GP name: *EnableAppInstaller*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enabledefaultsource"></a>**DesktopAppInstaller/EnableDefaultSource**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the default source included with the Windows Package Manager.
If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed.
- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed.
- If you disable this setting the default source for the Windows Package Manager won't be available.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Default Source*
- GP name: *EnableDefaultSource*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablelocalmanifestfiles"></a>**DesktopAppInstaller/EnableLocalManifestFiles**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can install packages with local manifest files.
- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager.
- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Local Manifest Files*
- GP name: *EnableLocalManifestFiles*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<!--Policy-->
<a href="" id="desktopappinstaller-enablehashoverride"></a>**DesktopAppInstaller/EnableHashOverride**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest.
- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings.
- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable App Installer Hash Override*
- GP name: *EnableHashOverride*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablemicrosoftstoresource"></a>**DesktopAppInstaller/EnableMicrosoftStoreSource**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the Microsoft Store source included with the Windows Package Manager.
If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed.
- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed.
- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source*
- GP name: *EnableMicrosoftStoreSource*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablemsappinstallerprotocol"></a>**DesktopAppInstaller/EnableMSAppInstallerProtocol**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol.
- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol.
- If you disable this setting, users will not be able to install packages from websites that use this protocol.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable MS App Installer Protocol*
- GP name: *EnableMSAppInstallerProtocol*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enablesettings"></a>**DesktopAppInstaller/EnableSettings**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can change their settings. The settings are stored inside of a .json file on the users system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy.
- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager.
- If you disable this setting, users will not be able to change settings for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Settings Command*
- GP name: *EnableSettings*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableallowedsources"></a>**DesktopAppInstaller/EnableAllowedSources**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy.
- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export.
- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Settings Command*
- GP name: *EnableAllowedSources*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-enableexperimentalfeatures"></a>**DesktopAppInstaller/EnableExperimentalFeatures**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior.
- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager.
- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Enable Windows Package Manager Experimental Features*
- GP name: *EnableExperimentalFeatures*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="desktopappinstaller-sourceautoupdateinterval"></a>**DesktopAppInstaller/SourceAutoUpdateInterval**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources.
- If you enable this setting, the number of minutes specified will be used by Windows Package Manager.
- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes*
- GP name: *SourceAutoUpdateInterval*
- GP path: *Administrative Templates\Windows Components\App Package Deployment*
- GP ADMX file name: *AppxPackageManager.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

47
windows/client-management/mdm/policy-csp-experience.md
View File

@ -50,6 +50,9 @@ manager: aaroncz
<dd>
<a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
<dd>
<a href="#experience-allowspotlightcollection">Experience/AllowSpotlightCollection</a>
</dd>
<dd>
<a href="#experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
</dd>
@ -494,6 +497,50 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowspotlightcollection"></a>**Experience/AllowSpotlightCollection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows spotlight collection on the device.
- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings.
- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop
- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft
- Default value: 1
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**

70
windows/client-management/mdm/policy-csp-fileexplorer.md
View File

@ -46,8 +46,13 @@ manager: aaroncz
<dd>
<a href="#fileexplorer-setallowedstoragelocations">FileExplorer/SetAllowedStorageLocations</a>
</dd>
<dd>
<a href="#fileexplorer-disablegraphrecentitems">FileExplorer/DisableGraphRecentItems</a>
</dd>
</dl>
<hr/>
<!--Policy-->
@ -276,10 +281,10 @@ This policy configures the folders that the user can enumerate and access in the
The following list shows the supported values:
- 0: All folders
- 15:Desktop, Documents, Pictures, and Downloads
- 31:Desktop, Documents, Pictures, Downloads, and Network
- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads
- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network
- 15: Desktop, Documents, Pictures, and Downloads
- 31: Desktop, Documents, Pictures, Downloads, and Network
- 47: This PC (local drive), [Desktop, Documents, Pictures], and Downloads
- 63: This PC, [Desktop, Documents, Pictures], Downloads, and Network
<!--/SupportedValues-->
@ -331,7 +336,7 @@ This policy configures the folders that the user can enumerate and access in the
<!--SupportedValues-->
The following list shows the supported values:
- 0: all storage locations
- 0: All storage locations
- 1: Removable Drives
- 2: Sync roots
- 3: Removable Drives, Sync roots, local drive
@ -350,9 +355,62 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="fileexplorer-disablegraphrecentitems"></a>**FileExplorer/DisableGraphRecentItems**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy changes whether files from Office.com will be shown in the Recents and Favorites sections on the Home node (previously known as Quick Access) in File Explorer.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0: Files from Office.com will display in the Home node
- 1: No files from Office.com will be retrieved or displayed
<!--/SupportedValues-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Turn off files from Office.com in Quick access view*
- GP name: *DisableGraphRecentItems*
- GP path: *File Explorer*
- GP ADMX file name: *Explorer.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)
[Policy configuration service provider](policy-configuration-service-provider.md)

53
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -20,6 +20,9 @@ manager: aaroncz
## HumanPresence policies
<dl>
<dd>
<a href="#humanpresence-forceinstantdim">HumanPresence/ForceInstantDim</a>
</dd>
<dd>
<a href="#humanpresence-forceinstantlock">HumanPresence/ForceInstantLock</a>
</dd>
@ -33,6 +36,56 @@ manager: aaroncz
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantdim"></a>**HumanPresence/ForceInstantDim**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Force Instant Dim*
- GP name: *ForceInstantDim*
- GP path: *Windows Components/Human Presence*
- GP ADMX file name: *Sensors.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 2 = ForcedOff
- 1 = ForcedOn
- 0 = DefaultToUserChoice
- Defaults to 0.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="humanpresence-forceinstantlock"></a>**HumanPresence/ForceInstantLock**

131
windows/client-management/mdm/policy-csp-lsa.md Normal file
View File

@ -0,0 +1,131 @@
---
title: Policy CSP - LocalSecurityAuthority
description: Use the LocalSecurityAuthority CSP to configure policies for the Windows Local Security Authority Subsystem Service (LSASS).
ms.author: vinpa
author: vinaypamnani-msft
ms.reviewer:
manager: aaroncz
ms.topic: reference
ms.prod: windows-client
ms.technology: itpro-manage
ms.localizationpriority: medium
ms.date: 08/26/2022
---
# Policy CSP - LocalSecurity Authority
<hr/>
<!--Policies-->
## LocalSecurityAuthority policies
<dl>
<dd>
<a href="#localsecurityauthority-allowcustomsspsaps">LocalSecurityAuthority/AllowCustomSSPsAPs</a>
</dd>
<dd>
<a href="#localsecurityauthority-configurelsaprotectedprocess">LocalSecurityAuthority/ConfigureLsaProtectedProcess</a>
</dd>
</dl>
> [!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/>
<!--Policy-->
<a href="" id="localsecurityauthority-allowcustomsspsaps"></a>**LocalSecurityAuthority/AllowCustomSSPsAPs**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting defines whether the Local Security Authority Subsystem Service (LSASS) will allow loading of custom security support providers (SSPs) and authentication providers (APs).
If you enable this policy setting or don't configure it, LSASS will allow loading of custom SSPs and APs.
If you disable this policy setting, LSASS will block custom SSPs and APs from loading.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Allow Custom SSPs and APs to be loaded into LSASS*
- GP name: *AllowCustomSSPsAPs*
- GP path: *System/Local Security Authority*
- GP ADMX file name: *LocalSecurityAuthority.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="localsecurityauthority-configurelsaprotectedprocess"></a>**Kerberos/ConfigureLsaProtectedProcess**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting configures the Local Security Authority Subsystem Service (LSASS) to run as a protected process.
If you disable (0) or don't configure this policy setting, LSASS won't run as a protected process.
If you enable this policy with UEFI lock (1), LSASS will run as a protected process and this setting will be stored in a UEFI variable.
If you enable this policy without UEFI lock (2), LSASS will run as a protected process and this setting won't be stored in a UEFI variable.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure LSASS to run as a protected process*
- GP name: *ConfigureLsaProtectedProcess*
- GP path: *System/Local Security Authority*
- GP ADMX file name: *LocalSecurityAuthority.admx*
<!--/ADMXBacked-->

704
windows/client-management/mdm/policy-csp-printers.md
View File

@ -27,12 +27,36 @@ manager: aaroncz
<dd>
<a href="#printers-approvedusbprintdevicesuser">Printers/ApprovedUsbPrintDevicesUser</a>
</dd>
<dd>
<a href="#printers-configurecopyfilespolicy">Printers/ConfigureCopyFilesPolicy</a>
</dd>
<dd>
<a href="#printers-configuredrivervalidationlevel">Printers/ConfigureDriverValidationLevel</a>
</dd>
<dd>
<a href="#printers-configureipppagecountspolicy">Printers/ConfigureIppPageCountsPolicy</a>
</dd>
<dd>
<a href="#printers-configureredirectionguardpolicy">Printers/ConfigureRedirectionGuardPolicy</a>
</dd>
<dd>
<a href="#printers-configurerpcconnectionpolicy">Printers/ConfigureRpcConnectionPolicy</a>
</dd>
<dd>
<a href="#printers-configurerpclistenerpolicy">Printers/ConfigureRpcListenerPolicy</a>
</dd>
<dd>
<a href="#printers-configurerpctcpport">Printers/ConfigureRpcTcpPort</a>
</dd>
<dd>
<a href="#printers-enabledevicecontrol">Printers/EnableDeviceControl</a>
</dd>
<dd>
<a href="#printers-enabledevicecontroluser">Printers/EnableDeviceControlUser</a>
</dd>
<dd>
<a href="#printers-managedriverexclusionlist">Printers/ManageDriverExclusionList</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
@ -42,6 +66,9 @@ manager: aaroncz
<dd>
<a href="#printers-publishprinters">Printers/PublishPrinters</a>
</dd>
<dd>
<a href="#printers-restrictdriverinstallationtoadministrators">Printers/RestrictDriverInstallationToAdministrators</a>
</dd>
</dl>
> [!TIP]
@ -57,38 +84,14 @@ manager: aaroncz
<a href="" id="printers-approvedusbprintdevices"></a>**Printers/ApprovedUsbPrintDevices**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -109,7 +112,6 @@ These requirements include restricting printing to USB connected printers that m
This policy will contain the comma-separated list of approved USB Vid&Pid combinations that the print spooler will allow to print when Device Control is enabled.
The format of this setting is `<vid>/<pid>[,<vid>/<pid>]`
Parent deliverable: 26209274 - Device Control: Printer
<!--/Description-->
<!--ADMXBacked-->
@ -129,38 +131,14 @@ ADMX Info:
<a href="" id="printers-approvedusbprintdevicesuser"></a>**Printers/ApprovedUsbPrintDevicesUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -194,42 +172,423 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="printers-configurecopyfilespolicy"></a>**Printers/ConfigureCopyFilesPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\CopyFilesPolicy` registry entry to restrict processing of the CopyFiles registry entries during printer connection installation. This registry key was added to the print system as part of the 9B security update.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *SyncCopyFilestoColorFolderOnly* as the value and process the CopyFiles entries as appropriate.
If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
The following are the supported values:
Type: DWORD. Defaults to 1.
- 0 (DisableCopyFiles) - Don't process any CopyFiles registry entries when installing printer connections.
- 1 (SyncCopyFilestoColorFolderOnly) - Only allow CopyFiles entries that conform to the standard Color Profile scheme. This means entries using the Registry Key CopyFiles\ICM, containing a Directory value of COLOR and supporting mscms.dll as the Module value.
- 2 (AllowCopyFile) - Allow any CopyFiles registry entries to be processed/created when installing printer connections.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Manage processing of Queue-specific files*
- GP name: *ConfigureCopyFilesPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configuredrivervalidationlevel"></a>**Printers/ConfigureDriverValidationLevel**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ValidationLevel` registry entry to determine the print driver digital signatures. This registry key was added to the print system as part of the 10C security update.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *DriverValidationLevel_Legacy* as the value and process the print driver digital signatures as appropriate.
If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
The following are the supported values:
Type: DWORD. Defaults to 4.
- 0 (DriverValidationLevel_Inbox) - Only drivers that are shipped as part of a Windows image are allowed on this computer.
- 1 (DriverValidationLevel_Trusted) - Only drivers that are shipped as part of a Windows image or drivers that are signed by certificates installed in the 'PrintDrivers' certificate store are allowed on this computer.
- 2 (DriverValidationLevel_WHQL)- Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, or signed by the Windows Hardware Quality Lab (WHQL).
- 3 (DriverValidationLevel_TrustedShared) - Only drivers allowed on this computer are those that are: shipped as part of a Windows image, signed by certificates installed in the 'PrintDrivers' certificate store, signed by the Windows Hardware Quality Lab (WHQL), or signed by certificates installed in the 'Trusted Publishers' certificate store.
- 4 (DriverValidationLevel_Legacy) - Any print driver that has a valid embedded signature or can be validated against the print driver catalog can be installed on this computer.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Manage Print Driver signature validation*
- GP name: *ConfigureDriverValidationLevel*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configureipppagecountspolicy"></a>**Printers/ConfigureIppPageCountsPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\IPP\AlwaysSendIppPageCounts`registry entry to allow administrators to configure setting for the IPP print stack.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to sending page count job accounting information for IPP print jobs only when necessary.
If the policy object is Enabled, the code will always send page count job accounting information for IPP print jobs.
The following are the supported values:
AlwaysSendIppPageCounts: DWORD. Defaults to 0.
- 0 (Disabled) - Job accounting information will not always be sent for IPP print jobs **(default)**.
- 1 (Enabled) - Job accounting information will always be sent for IPP print jobs.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Always send job page count information for IPP printers*
- GP name: *ConfigureIppPageCountsPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configureredirectionguardpolicy"></a>**Printers/ConfigureRedirectionGuardPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\ConfigureRedirectionGuard` registry entry, which in turn is used to control the functionality of the Redirection Guard feature in the spooler process.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to 1 (enabled) as the value and will prevent redirection primitives in the spooler from being used.
If the policy object is Enabled, the code will read the *DWORD* value from the registry entry and act accordingly.
The following are the supported values:
Type: DWORD, defaults to 1.
- 0 (Redirection Guard Disabled) - Redirection Guard is not enabled for the spooler process and will not prevent the use of redirection primitives within said process.
- 1 (Redirection Guard Enabled) - Redirection Guard is enabled for the spooler process and will prevent the use of redirection primitives from being used.
- 2 (Redirection Guard Audit Mode) - Redirection Guard will be disabled but will log telemetry events as though it were enabled.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure Redirection Guard*
- GP name: *ConfigureRedirectionGuardPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configurerpcconnectionpolicy"></a>**Printers/ConfigureRpcConnectionPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC connections in the print stack.
There are 2 values which can be configured:
- RpcUseNamedPipeProtocol DWORD
- 0: RpcOverTcp (default)
- 1: RpcOverNamedPipes
- RpcAuthentication DWORD
- 0: RpcConnectionAuthenticationDefault (default)
- 1: RpcConnectionAuthenticationEnabled
- 2: RpcConnectionAuthenticationDisabled
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp*, and RPC authentication enabled on domain joined machines and RPC authentication disabled on non domain joined machines.
If the policy object is Enabled, the code will read the DWORD values from the registry entries and act accordingly.
The following are the supported values:
- Not configured or Disabled - The print stack makes RPC connections over TCP and enables RPC authentication on domain joined machines, but disables RPC authentication on non domain joined machines.
- Enabled - The print stack reads from the registry to determine RPC protocols to connect on and whether to perform RPC authentication.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure RPC connection settings*
- GP name: *ConfigureRpcConnectionPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configurerpclistenerpolicy"></a>**Printers/ConfigureRpcListenerPolicy**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage 2 new DWORD Values added under the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners in the print stack.
There are 2 values which can be configured:
- RpcProtocols DWORD
- 3: RpcOverNamedPipes - Only listen for incoming RPC connections using named pipes
- 5: RpcOverTcp - Only listen for incoming RPC connections using TCP (default)
- 7: RpcOverNamedPipesAndTcp - Listen for both RPC connections over named pipes over TCP
- ForceKerberosForRpc DWORD
- 0: RpcAuthenticationProtocol_Negotiate - Use Negotiate protocol for RPC connection authentication (default). Negotiate negotiates between Kerberos and NTLM depending on client/server support
- 1: RpcAuthenticationProtocol_Kerberos - Only allow Kerberos protocol to be used for RPC authentication
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to *RpcOverTcp* and *RpcAuthenticationProtocol_Negotiate*.
If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
The following are the supported values:
- Not configured or Disabled - The print stack listens for incoming RPC connections over TCP and uses Negotiate authentication protocol.
- Enabled - The print stack reads from the registry to determine RPC protocols to listen on and authentication protocol to use.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure RPC listener settings*
- GP name: *ConfigureRpcListenerPolicy*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-configurerpctcpport"></a>**Printers/ConfigureRpcTcpPort**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage a new DWORD Value added under the the `Software\Policies\Microsoft\Windows NT\Printers\RPC` registry key to allow administrators to configure RPC security settings used by RPC listeners and connections in the print stack.
- RpcTcpPort DWORD
- 0: Use dynamic TCP ports for RPC over TCP (default).
- 1-65535: Use the given port for RPC over TCP.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the code will default to dynamic ports for *RpcOverTcp*.
If the policy object is Enabled, the code will read the DWORD values from the registry entry and act accordingly.
The following are the supported values:
- Not configured or Disabled - The print stack uses dynamic TCP ports for RPC over TCP.
- Enabled - The print stack reads from the registry to determine which TCP port to use for RPC over TCP.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Configure RPC over TCP port*
- GP name: *ConfigureRpcTcpPort*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-enabledevicecontrol"></a>**Printers/EnableDeviceControl**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -274,38 +633,14 @@ ADMX Info:
<a href="" id="printers-enabledevicecontroluser"></a>**Printers/EnableDeviceControlUser**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -345,6 +680,62 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="printers-managedriverexclusionlist"></a>**Printers/ManageDriverExclusionList**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList` registry key to allow administrators to curate a set of print drivers that are not allowed to be installed on the computer. This registry key was added to the print system as part of the 10C security update.
The default value of the policy will be Unconfigured.
If the policy object is either Unconfigured or Disabled, the registry Key will not exist and there will not be a Print Driver exclusion list.
If the policy object is Enabled, the ExclusionList Reg Key will contain one or more *REG_ZS* values that represent the list of excluded print driver INF or main DLL files. Tach *REG_SZ* value will have the file hash as the name and the file name as the data value.
The following are the supported values:
Create REG_SZ Values under key `Software\Policies\Microsoft\Windows NT\Printers\Driver\ExclusionList`
Type: REG_SZ
Value Name: Hash of excluded file
Value Data: Name of excluded file
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Manage Print Driver exclusion list*
- GP name: *ManageDriverExclusionList*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--Policy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
@ -548,6 +939,61 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="printers-restrictdriverinstallationtoadministrators"></a>**Printers/RestrictDriverInstallationToAdministrators**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This new Group Policy entry will be used to manage the `Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint\RestrictDriverInstallationToAdministrators` registry entry for restricting print driver installation to Administrator users.
This registry key was added to the print system as part of the 7OOB security update and use of this registry key was expanded as part of the 8B security rollup.
The default value of the policy will be Unconfigured.
If the policy value is either Unconfigured or Enabled, only Administrators or members of an Administrator security group (Administrators, Domain Administrators, Enterprise Administrators) will be allowed to install print drivers on the computer.
If the policy value is Disabled, standard users will also be allowed to install print drivers on the computer.
The following are the supported values:
- Not configured or Enabled - Only administrators can install print drivers on the computer.
- Disabled - Standard users are allowed to install print drivers on the computer.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Restrict installation of print drivers to Administrators*
- GP name: *RestrictDriverInstallationToAdministrators*
- GP path: *Printers*
- GP ADMX file name: *Printing.admx*
<!--/ADMXBacked-->
<hr/>
<!--/Policies-->
## Related topics

56
windows/client-management/mdm/policy-csp-search.md
View File

@ -57,6 +57,9 @@ manager: aaroncz
<dd>
<a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
</dd>
<dd>
<a href="#search-disablesearch">Search/DisableSearch</a>
</dd>
<dd>
<a href="#search-donotusewebresults">Search/DoNotUseWebResults</a>
</dd>
@ -639,6 +642,57 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="search-disablesearch"></a>**Search/DisableSearch**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures.
It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Fully disable Search UI*
- GP name: *DisableSearch*
- GP path: *Windows Components/Search*
- GP ADMX file name: *Search.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Do not disable search.
- 1 Disable search.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="search-donotusewebresults"></a>**Search/DoNotUseWebResults**
@ -774,7 +828,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index..
If enabled, clients will be unable to query this computer's index remotely. Thus, when they're browsing network shares that are stored on this computer, they won't search them using the index. If disabled, client search requests will use this computer's index.
<!--/Description-->
<!--ADMXMapped-->

276
windows/client-management/mdm/policy-csp-start.md
View File

@ -56,6 +56,12 @@ manager: aaroncz
<dd>
<a href="#start-disablecontextmenus">Start/DisableContextMenus</a>
</dd>
<dd>
<a href="#start-disablecontrolcenter">Start/DisableControlCenter</a>
</dd>
<dd>
<a href="#start-disableeditingquicksettings">Start/DisableEditingQuickSettings</a>
</dd>
<dd>
<a href="#start-forcestartsize">Start/ForceStartSize</a>
</dd>
@ -86,6 +92,9 @@ manager: aaroncz
<dd>
<a href="#start-hiderecentlyaddedapps">Start/HideRecentlyAddedApps</a>
</dd>
<dd>
<a href="#start-hiderecommendedsection">Start/HideRecommendedSection</a>
</dd>
<dd>
<a href="#start-hiderestart">Start/HideRestart</a>
</dd>
@ -101,6 +110,9 @@ manager: aaroncz
<dd>
<a href="#start-hideswitchaccount">Start/HideSwitchAccount</a>
</dd>
<dd>
<a href="#start-hidetaskviewbutton">Start/HideTaskViewButton</a>
</dd>
<dd>
<a href="#start-hideusertile">Start/HideUserTile</a>
</dd>
@ -113,6 +125,9 @@ manager: aaroncz
<dd>
<a href="#start-showorhidemostusedapps">Start/ShowOrHideMostUsedApps</a>
</dd>
<dd>
<a href="#start-simplifyquicksettings">Start/SimplifyQuickSettings</a>
</dd>
<dd>
<a href="#start-startlayout">Start/StartLayout</a>
</dd>
@ -665,6 +680,100 @@ The following list shows the supported values:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-disablecontrolcenter"></a>**Start/DisableControlCenter**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume.
If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled.
>[!Note]
> A reboot is required for this policy setting to take effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Remove control center*
- GP name: *DisableControlCenter*
- GP path: *Start Menu and Taskbar*
- GP ADMX file name: *Taskbar.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values:
- Integer 0 - Disabled/Not configured.
- Integer 1 - Enabled.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-disableeditingquicksettings"></a>**Start/DisableEditingQuickSettings**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to indicate whether Quick Actions can be edited by the user.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0: Allow editing Quick Actions (default)
- 1: Disable editing Quick Actions
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
@ -1208,6 +1317,47 @@ To validate on Desktop, do the following steps:
<hr/>
<!--Policy-->
<a href="" id="start-hiderecommendedsection"></a>**Start/HideRecommendedSection**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to hide the Start Menu's Recommended section when enabled.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0 (default): Do not hide the Start menu's Recommended section.
- 1: Hide the Start menu's Recommended section.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-hiderestart"></a>**Start/HideRestart**
@ -1453,6 +1603,48 @@ To validate on Desktop, do the following steps:
<hr/>
<!--Policy-->
<a href="" id="start-hidetaskviewbutton"></a>**Start/HideTaskViewButton**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows you to hide the Task View button from the Taskbar and its corresponding option in the Settings app.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0 (default): Do not hide the Taskbar's Task View button.
- 1: Hide the Taskbar's Task View button.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-hideusertile"></a>**Start/HideUserTile**
@ -1622,38 +1814,15 @@ To validate on Desktop, do the following steps:
<a href="" id="start-showorhidemostusedapps"></a>**Start/ShowOrHideMostUsedApps**
<!--SupportedSKUs-->
<table>
<tr>
<th>Edition</th>
<th>Windows 10</th>
<th>Windows 11</th>
</tr>
<tr>
<td>Home</td>
<td>No</td>
<td>No</td>
</tr>
<tr>
<td>Pro</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Business</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Enterprise</td>
<td>Yes</td>
<td>Yes</td>
</tr>
<tr>
<td>Education</td>
<td>Yes</td>
<td>Yes</td>
</tr>
</table>
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
@ -1686,6 +1855,47 @@ On clean install, the user setting defaults to "hide".
<hr/>
<!--Policy-->
<a href="" id="start-simplifyquicksettings"></a>**Start/SimplifyQuickSettings**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy will allow admins to indicate whether the default or simplified Quick Actions layout should be loaded.
<!--/Description-->
<!--SupportedValues-->
The following are the supported values:
- 0: load regular Quick Actions layout.
- 1: load simplified Quick Actions layout.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="start-startlayout"></a>**Start/StartLayout**
@ -1746,4 +1956,4 @@ ADMX Info:
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)
[Policy configuration service provider](policy-configuration-service-provider.md)

233
windows/client-management/mdm/policy-csp-webthreatdefense.md Normal file
View File

@ -0,0 +1,233 @@
---
title: Policy CSP - WebThreatDefense
description: Learn about the Policy CSP - WebThreatDefense.
ms.author: v-aljupudi
ms.topic: article
ms.prod: w10
ms.technology: windows
author: alekyaj
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
---
# Policy CSP - WebThreatDefense
<hr/>
<!--Policies-->
## WebThreatDefense policies
<dl>
<dd>
<a href="#webthreatdefense-enableservice">WebThreatDefense/EnableService</a>
</dd>
<dd>
<a href="#webthreatdefense-notifymalicious">WebThreatDefense/NotifyMalicious</a>
</dd>
<dd>
<a href="#webthreatdefense-notifypasswordreuse">WebThreatDefense/NotifyPasswordReuse</a>
</dd>
<dd>
<a href="#webthreatdefense-notifyunsafeapp">WebThreatDefense/NotifyUnsafeApp</a>
</dd>
</dl>
>[!NOTE]
>In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category.
<!--Policy-->
<a href="" id="webthreatdefense-enableservice"></a>**WebThreatDefense/EnableService**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
If you enable this policy setting or dont configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Configure Web Threat Defense*
- GP name: *EnableWebThreatDefenseService*
- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections*
- GP ADMX file name: *WebThreatDefense.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection.
- 1:Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="webthreatdefense-notifymalicious"></a>**WebThreatDefense/NotifyMalicious**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above, and encourages them to change their password.
If you disable or dont configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection notifications when users type their work or school password into one of the following malicious scenarios: a reported phishing site, a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
- 1:Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="webthreatdefense-notifypasswordreuse"></a>**WebThreatDefense/NotifyPasswordReuse**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or dont configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection notifications when users reuse their work or school password.
- 1:Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="webthreatdefense-notifyunsafeapp"></a>**WebThreatDefense/NotifyUnsafeApp**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
|Business|No|Yes|
|Enterprise|No|Yes|
|Education|No|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps.
If you disable or dont configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps.
<!--/Description-->
<!--SupportedValues-->
The following list shows the supported values:
- 0:Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
- 1:Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

49
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -35,6 +35,9 @@ manager: aaroncz
<dd>
<a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="#windowslogon-enablemprnotifications">WindowsLogon/EnableMPRNotifications</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
@ -362,6 +365,52 @@ Supported values:
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enablemprnotifications"></a>**WindowsLogon/EnableMPRNotifications**
<!--SupportedSKUs-->
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows winlogon to send MPR notifications in the system if a credential manager is configured.
If you disable (0), MPR notifications will not be sent by winlogon.
If you enable (1) or do not configure this policy setting this policy, MPR notifications will be sent by winlogon.
<!--/Description-->
<!--SupportedValues-->
Supported values:
- 0 - disabled
- 1 (default)- enabled
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**

72
windows/client-management/mdm/sharedpc-csp.md
View File

@ -1,7 +1,7 @@
---
title: SharedPC CSP
description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage.
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -31,6 +31,7 @@ The following example shows the SharedPC configuration service provider manageme
./Vendor/MSFT
SharedPC
----EnableSharedPCMode
----EnableSharedPCModeWithOneDriveSync
----SetEduPolicies
----SetPowerPolicies
----MaintenanceStartTime
@ -47,12 +48,12 @@ SharedPC
----InactiveThreshold
----MaxPageFileSizeMB
```
<a href="" id="--vendor-msft-sharedpc"></a>**./Vendor/MSFT/SharedPC**
<a href="" id="--vendor-msft-sharedpc"></a>**./Vendor/MSFT/SharedPC**
The root node for the SharedPC configuration service provider.
The supported operation is Get.
<a href="" id="enablesharedpcmode"></a>**EnableSharedPCMode**
<a href="" id="enablesharedpcmode"></a>**EnableSharedPCMode**
A boolean value that specifies whether Shared PC mode is enabled.
The supported operations are Add, Get, Replace, and Delete.
@ -61,16 +62,23 @@ Setting this value to True triggers the action to configure a device to Shared P
The default value is Not Configured and SharedPC mode is not enabled.
<a href="" id="setedupolicies"></a>**SetEduPolicies**
<a href="" id="enablesharedpcmodewithonedrivesync"></a>**EnableSharedPCModeWithOneDriveSync**
Setting this node to true triggers the action to configure a device to Shared PC mode with OneDrive sync turned on.
The supported operations are Add, Get, Replace, and Delete.
The default value is false.
<a href="" id="setedupolicies"></a>**SetEduPolicies**
A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment.
The supported operations are Add, Get, Replace, and Delete.
The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
The default value changed to false in Windows 10, version 1703. The default value is Not Configured and this node needs to be configured independent of EnableSharedPCMode.
In Windows 10, version 1607, the value is set to True and the education environment is automatically configured when SharedPC mode is configured.
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
<a href="" id="setpowerpolicies"></a>**SetPowerPolicies**
Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode.
> [!NOTE]
@ -80,7 +88,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and the effective power settings are determined by the OS's default power settings. Its value in the SharedPC provisioning package is True.
<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
<a href="" id="maintenancestarttime"></a>**MaintenanceStartTime**
Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440.
> [!NOTE]
@ -90,7 +98,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is 0 (12 AM).
<a href="" id="signinonresume"></a>**SignInOnResume**
<a href="" id="signinonresume"></a>**SignInOnResume**
Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode.
> [!NOTE]
@ -100,8 +108,8 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
<a href="" id="sleeptimeout"></a>**SleepTimeout**
The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
<a href="" id="sleeptimeout"></a>**SleepTimeout**
The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional.
> [!NOTE]
> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken.
@ -110,7 +118,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured, and effective behavior is determined by the OS's default settings. Its value in the SharedPC provisioning package for Windows 10, version 1703 is 300, and in Windows 10, version 1607 is 3600.
<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
<a href="" id="enableaccountmanager"></a>**EnableAccountManager**
A boolean that enables the account manager for shared PC mode.
> [!NOTE]
@ -120,7 +128,7 @@ The supported operations are Add, Get, Replace, and Delete.
The default value is Not Configured and its value in the SharedPC provisioning package is True.
<a href="" id="accountmodel"></a>**AccountModel**
<a href="" id="accountmodel"></a>**AccountModel**
Configures which type of accounts are allowed to use the PC.
> [!NOTE]
@ -136,7 +144,7 @@ The following list shows the supported values:
Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="deletionpolicy"></a>**DeletionPolicy**
<a href="" id="deletionpolicy"></a>**DeletionPolicy**
Configures when accounts are deleted.
> [!NOTE]
@ -149,7 +157,7 @@ For Windows 10, version 1607, here's the list shows the supported values:
- 0 - Delete immediately.
- 1 (default) - Delete at disk space threshold.
For Windows 10, version 1703, here's the list of supported values:
For Windows 10, version 1703, here's the list of supported values:
- 0 - Delete immediately.
- 1 - Delete at disk space threshold.
@ -157,7 +165,7 @@ For Windows 10, version 1703, here's the list of supported values:
The default value is Not Configured. Its value in the SharedPC provisioning package is 1 or 2.
<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
<a href="" id="diskleveldeletion"></a>**DiskLevelDeletion**
Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first.
> [!NOTE]
@ -169,7 +177,7 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
The supported operations are Add, Get, Replace, and Delete.
<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
<a href="" id="disklevelcaching"></a>**DiskLevelCaching**
Sets the percentage of available disk space a PC should have before it stops deleting cached accounts.
> [!NOTE]
@ -181,48 +189,48 @@ For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevel
The supported operations are Add, Get, Replace, and Delete.
<a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**
Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
<a href="" id="restrictlocalstorage"></a>**RestrictLocalStorage**
Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional.
The default value is Not Configured and behavior is no such restriction applied. Value type is bool. Supported operations are Add, Get, Replace, and Delete. Default in SharedPC provisioning package is False.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
<a href="" id="kioskmodeaumid"></a>**KioskModeAUMID**
Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional.
- Value type is string.
- Supported operations are Add, Get, Replace, and Delete.
- Value type is string.
- Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
<a href="" id="kioskmodeusertiledisplaytext"></a>**KioskModeUserTileDisplayText**
Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen that launches the app specified by KioskModeAUMID. This node is optional.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
<a href="" id="inactivethreshold"></a>**InactiveThreshold**
Added in Windows 10, version 1703. Accounts will start being deleted when they haven't been logged on during the specified period, given as number of days.
- The default value is Not Configured.
- Value type is integer.
- The default value is Not Configured.
- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 30.
<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
<a href="" id="maxpagefilesizemb"></a>**MaxPageFileSizeMB**
Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. This node is optional.
> [!NOTE]
> If used, this value must set before the action on the **EnableSharedPCMode** node is taken.
- Default value is Not Configured.
- Value type is integer.
- Default value is Not Configured.
- Value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
The default in the SharedPC provisioning package is 1024.

28
windows/client-management/mdm/sharedpc-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: SharedPC DDF file
description: Learn how the OMA DM device description framework (DDF) for the SharedPC configuration service provider (CSP).
ms.reviewer:
ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@ -70,6 +70,32 @@ The XML below is the DDF for Windows 10, version 1703.
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnableSharedPCModeWithOneDriveSync</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Setting this node to “1” triggers the action to configure a device to Shared PC mode with OneDrive sync turned on</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Enable Shared PC mode with OneDrive sync</DFTitle>
<DFType>
<MIME />
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SetEduPolicies</NodeName>
<DFProperties>

11
windows/client-management/mdm/toc.yml
View File

@ -338,6 +338,11 @@ items:
items:
- name: PassportForWork DDF file
href: passportforwork-ddf.md
- name: PersonalDataEncryption CSP
href: personaldataencryption-csp.md
items:
- name: PersonalDataEncryption DDF file
href: personaldataencryption-ddf-file.md
- name: Personalization CSP
href: personalization-csp.md
items:
@ -690,6 +695,8 @@ items:
href: policy-csp-deliveryoptimization.md
- name: Desktop
href: policy-csp-desktop.md
- name: DesktopAppInstaller
href: policy-csp-desktopappinstaller.md
- name: DeviceGuard
href: policy-csp-deviceguard.md
- name: DeviceHealthMonitoring
@ -738,6 +745,8 @@ items:
href: policy-csp-licensing.md
- name: LocalPoliciesSecurityOptions
href: policy-csp-localpoliciessecurityoptions.md
- name: LocalSecurityAuthority
href: policy-csp-lsa.md
- name: LocalUsersAndGroups
href: policy-csp-localusersandgroups.md
- name: LockDown
@ -818,6 +827,8 @@ items:
href: policy-csp-userrights.md
- name: VirtualizationBasedTechnology
href: policy-csp-virtualizationbasedtechnology.md
- name: WebThreatDefense
href: policy-csp-webthreatdefense.md
- name: Wifi
href: policy-csp-wifi.md
- name: WindowsAutoPilot

2
windows/configuration/TOC.yml
View File

@ -43,7 +43,7 @@
- name: Accessibility settings
items:
- name: Accessibility information for IT Pros
href: windows-10-accessibility-for-ITPros.md
href: windows-accessibility-for-ITPros.md
- name: Configure access to Microsoft Store
href: stop-employees-from-using-microsoft-store.md
- name: Configure Windows Spotlight on the lock screen

8
windows/configuration/supported-csp-start-menu-layout-windows.md
View File

@ -14,6 +14,7 @@ ms.localizationpriority: medium
**Applies to**:
- Windows 11
- Windows 11, version 22H2
The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
@ -49,6 +50,10 @@ For information on customizing the Start menu layout using policy, see [Customiz
The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.
**The following policies are supported starting with Windows 11, version 22H2:**
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
## Existing CSP policies that Windows 11 doesn't support
- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
@ -56,6 +61,9 @@ For information on customizing the Start menu layout using policy, see [Customiz
- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
- Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
> [!NOTE]
> The following two policies are supported starting in Windows 11, version 22H2
- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
- Group policy:

91
windows/configuration/windows-10-accessibility-for-ITPros.md
View File

@ -1,91 +0,0 @@
---
title: Windows 10 accessibility information for IT Pros (Windows 10)
description: Lists the various accessibility features available in Windows 10 with links to detailed guidance on how to set them
keywords: accessibility, settings, vision, hearing, physical, cognition, assistive
ms.prod: w10
ms.author: lizlong
author: lizgt2000
ms.localizationpriority: medium
ms.date: 01/12/2018
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
# Accessibility information for IT Professionals
Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
This topic helps IT administrators learn about built-in accessibility features, and includes a few recommendations for how to support people in your organization who use these features.
## General recommendations
- **Be aware of Ease of Access settings** Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10.
- **Do not block settings** Avoid using Group Policy or MDM settings that override Ease of Access settings.
- **Encourage choice** Allow people in your organization to customize their computers based on their needs. That customization might mean installing an add-on for their browser, or a non-Microsoft assistive technology.
## Vision
| Accessibility feature | Description |
|---------------------------|------------|
| [Use Narrator to use devices without a screen](https://support.microsoft.com/help/22798/windows-10-narrator-get-started) | Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices.|
| [Create accessible apps](https://developer.microsoft.com/windows/accessible-apps) | You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.|
| Use keyboard shortcuts for [Windows](https://support.microsoft.com/help/12445/windows-keyboard-shortcuts), [Narrator](https://support.microsoft.com/help/22806), and [Magnifier](https://support.microsoft.com/help/13810) | Get the most out of Windows with shortcuts for apps and desktops.|
| Get closer with [Magnifier](https://support.microsoft.com/help/11542/windows-use-magnifier) | Magnifier enlarges all or part of your screen and offers various configuration settings.|
| [Cursor and pointer adjustments](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.|
| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
| [Customize the size](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) of screen items | You can adjust the size of text, icons, and other screen items to make them easier to see.|
| [Improve contrast](https://support.microsoft.com/help/27928/windows-10-make-windows-easier-to-see) | Many high-contrast themes are available to suit your needs.|
| [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
| [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
| [Read in Braille](https://support.microsoft.com/help/4004263) | Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.|
## Hearing
| Accessibility feature | Description |
|---------------------------|------------|
| [Transcribe with Translator](https://www.skype.com/en/features/skype-translator) | Translator can transcribe voice to text so you wont miss whats being said. |
| [Use Skype for sign language](https://www.skype.com/en/) | Skype is available on various platforms and devices, so you dont have to worry about whether your co-workers, friends and family can communicate with you.|
| [Get visual notifications for sounds](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear) | You can replace audible alerts with visual alerts.|
| [Keep notifications around longer](https://support.microsoft.com/help/27933/windows-10-make-windows-easier-to-hear)|If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.|
| [Read spoken words with closed captioning](https://support.microsoft.com/help/21055/windows-10-closed-caption-settings) | You can customize things like color, size, and background transparency to suit your needs and tastes.|
| [Switch to mono audio](https://support.microsoft.com/help/27933/) | Sending all sounds to both left and right channels is helpful for those people with partial hearing loss or deafness in one ear.|
## Physical
| Accessibility feature | Description|
|---------------------------|------------|
| [Have Cortana assist](https://support.microsoft.com/help/17214/windows-10-what-is) | Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.|
| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
| [Live Tiles](https://support.microsoft.com/help/17176/windows-10-organize-your-apps)| Because Live Tiles display constantly updated information for many apps, you don't have to bother actually opening them. You can arrange, resize, and move tiles as needed.|
| [Keyboard assistance features](https://support.microsoft.com/help/27936)| You can personalize your keyboard to ignore repeated keys and do other helpful things if you have limited control of your hands.|
| [Mouse Keys](https://support.microsoft.com/help/27936)|If a mouse is difficult to use, you can control the pointer by using your numeric keypad.|
## Cognition
| Accessibility feature | Description|
|---------------------------|------------|
| [Simplify for focus](https://support.microsoft.com/help/27930) | Reducing animations and turning off background images and transparency can minimize distractions.|
| Use the On-Screen Keyboard (OSK) | Instead of relying on a physical keyboard, you can use the [On-Screen Keyboard](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard) to type and enter data and select keys with a mouse or other pointing device. Additionally, the OSK offers [word prediction and completion](https://support.microsoft.com/help/10762/windows-use-on-screen-keyboard).|
| [Dictate text and commands](https://support.microsoft.com/help/17208/windows-10-use-speech-recognition) | Windows includes speech recognition that lets you tell it what to do.|
| [Use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721) | Fluent Sitka Small and Fluent Calibri are fonts that address "visual crowding" by adding character and enhance word and line spacing. |
| [Edge Reading View](https://support.microsoft.com/help/17204/windows-10-take-your-reading-with-you) | Clears distracting content from web pages so you can stay focused on what you really want to read. |
| [Edge includes an e-book reader](https://support.microsoft.com/help/4014945) | The Microsoft Edge e-book reader includes options to increase text spacing and read text aloud to help make it easier for everyone to read and enjoy text, including people with learning differences like dyslexia and English language learners. |
## Assistive technology devices built into Windows 10
| Assistive technology | How it helps |
|---------------------------|------------|
| [Hear text read aloud with Narrator](https://support.microsoft.com/help/17173) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
| [Use Speech Recognition]( https://support.microsoft.com/help/17208 ) | Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.|
| [Save time with keyboard shortcuts]( https://support.microsoft.com/help/17189) | Keyboard shortcuts for apps and desktops.|
## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
[Designing accessible software]( https://msdn.microsoft.com/windows/uwp/accessibility/designing-inclusive-software)
[Inclusive Design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

117
windows/configuration/windows-accessibility-for-ITPros.md Normal file
View File

@ -0,0 +1,117 @@
---
title: Windows accessibility information for IT Pros
description: Lists the various accessibility features available in Windows client with links to detailed guidance on how to set them.
ms.prod: windows-client
ms.technology: itpro-configure
ms.author: lizlong
author: lizgt2000
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
ms.date: 09/20/2022
ms.topic: reference
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# Accessibility information for IT professionals
Microsoft is dedicated to making its products and services accessible and usable for everyone. Windows includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows.
This article helps you as the IT administrator learn about built-in accessibility features. It also includes recommendations for how to support people in your organization who use these features.
Windows 11, version 22H2, includes improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).<!-- 6294246 -->
## General recommendations
- **Be aware of Ease of Access settings**. Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows.
- **Don't block settings**. Avoid using group policy or MDM settings that override Ease of Access settings.
- **Encourage choice**. Allow people in your organization to customize their computers based on their needs. That customization might be installing an add-on for their browser, or a non-Microsoft assistive technology.
## Vision
- [Use Narrator to use devices without a screen](https://support.microsoft.com/windows/complete-guide-to-narrator-e4397a0d-ef4f-b386-d8ae-c172f109bdb1). Narrator describes Windows and apps and enables you to control devices by using a keyboard, controller, or with a range of gestures on touch-supported devices. Starting in Windows 11, version 22H2, Narrator includes more natural voices.
- [Create accessible apps](/windows/apps/develop/accessibility). You can develop accessible apps just like Mail, Groove, and Store that work well with Narrator and other leading screen readers.
- Use keyboard shortcuts. Get the most out of Windows with shortcuts for apps and desktops.
- [Keyboard shortcuts in Windows](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec)
- [Narrator keyboard commands and touch gestures](https://support.microsoft.com/windows/appendix-b-narrator-keyboard-commands-and-touch-gestures-8bdab3f4-b3e9-4554-7f28-8b15bd37410a)
- [Windows keyboard shortcuts for accessibility](https://support.microsoft.com/windows/windows-keyboard-shortcuts-for-accessibility-021bcb62-45c8-e4ef-1e4f-41b8c1fc87fd)
- Get closer with [Magnifier](https://support.microsoft.com/windows/use-magnifier-to-make-things-on-the-screen-easier-to-see-414948ba-8b1c-d3bd-8615-0e5e32204198). Magnifier enlarges all or part of your screen and offers various configuration settings.
- [Make Windows easier to see](https://support.microsoft.com/windows/make-windows-easier-to-see-c97c2b0d-cadb-93f0-5fd1-59ccfe19345d).
- Changing the size or color of pointers or adding trails or touch feedback make it easier to follow the mouse.
- Adjust the size of text, icons, and other screen items to make them easier to see.
- Many high-contrast themes are available to suit your needs.
- [Have Cortana assist](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes speech recognition that lets you tell it what to do.
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
- [Keep notifications around longer](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1). If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- [Read in Braille](https://support.microsoft.com/windows/chapter-8-using-narrator-with-braille-3e5f065b-1c9d-6eb2-ec6d-1d07c9e94b20). Narrator supports braille displays from more than 35 manufacturers using more than 40 languages and multiple braille variants.
## Hearing
- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
- [Make Windows easier to hear](https://support.microsoft.com/windows/make-windows-easier-to-hear-9c18cfdc-63be-2d47-0f4f-5b00facfd2e1).
- Replace audible alerts with visual alerts.
- If notifications aren't staying visible long enough for you to notice them, you can increase the time a notification will be displayed up to five minutes.
- Send all sounds to both left and right channels, which is helpful for those people with partial hearing loss or deafness in one ear.
- [Read spoken words with captioning](https://support.microsoft.com/windows/change-caption-settings-135c465b-8cfd-3bac-9baf-4af74bc0069a). You can customize things like color, size, and background transparency to suit your needs and tastes.
- Use the [Azure Cognitive Services Translator](/azure/cognitive-services/translator/) service to add machine translation to your solutions.
## Physical
- [Have Cortana assist you](https://support.microsoft.com/topic/what-is-cortana-953e648d-5668-e017-1341-7f26f7d0f825). Cortana can handle various tasks for you, including setting reminders, opening apps, finding facts, and sending emails and texts.
- [Dictate text and commands](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571). Windows includes voice recognition that lets you tell it what to do.
- [Use the On-Screen Keyboard (OSK)](https://support.microsoft.com/windows/use-the-on-screen-keyboard-osk-to-type-ecbb5e08-5b4e-d8c8-f794-81dbf896267a). Instead of relying on a physical keyboard, use the OSK to enter data and select keys with a mouse or other pointing device. It also offers word prediction and completion.
- [Make your mouse, keyboard, and other input devices easier to use](https://support.microsoft.com/windows/make-your-mouse-keyboard-and-other-input-devices-easier-to-use-10733da7-fa82-88be-0672-f123d4b3dcfe).
- If you have limited control of your hands, you can personalize your keyboard to do helpful things like ignore repeated keys.
- If a mouse is difficult to use, you can control the pointer by using your numeric keypad.
## Cognition
- [Simplify for focus](https://support.microsoft.com/windows/make-it-easier-to-focus-on-tasks-0d259fd9-e9d0-702c-c027-007f0e78eaf2). Reducing animations and turning off background images and transparency can minimize distractions.
- [Download and use fonts that are easier to read](https://www.microsoft.com/download/details.aspx?id=50721). **Fluent Sitka Small** and **Fluent Calibri** are fonts that address "visual crowding" by adding character and enhance word and line spacing.
- [Microsoft Edge reading view](https://support.microsoft.com/windows/take-your-reading-with-you-b6699255-4436-708e-7b93-4d2e19a15af8). Clears distracting content from web pages so you can stay focused on what you really want to read.
## Assistive technology devices built into Windows
- [Hear text read aloud with Narrator](https://support.microsoft.com/windows/hear-text-read-aloud-with-narrator-040f16c1-4632-b64e-110a-da4a0ac56917). Narrator reads text on your PC screen aloud and describes events, such as notifications or calendar appointments, so you can use your PC without a display.
- [Use voice recognition](https://support.microsoft.com/windows/use-voice-recognition-in-windows-83ff75bd-63eb-0b6c-18d4-6fae94050571).
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows)
[Designing accessible software](/windows/apps/design/accessibility/designing-inclusive-software)
[Inclusive design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

4
windows/deployment/update/deploy-updates-configmgr.md
View File

@ -2,9 +2,9 @@
title: Deploy Windows client updates with Configuration Manager
description: Deploy Windows client updates with Configuration Manager
ms.prod: w10
author: aczechowski
author: mestew
ms.localizationpriority: medium
ms.author: aaroncz
ms.author: mstewart
ms.reviewer:
manager: dougeby
ms.topic: article

29
windows/deployment/update/waas-restart.md
View File

@ -10,6 +10,7 @@ ms.topic: article
ms.custom:
- seo-marvel-apr2020
ms.collection: highpri
date: 09/22/2022
---
# Manage device restarts after updates
@ -18,11 +19,11 @@ ms.collection: highpri
**Applies to**
- Windows 10
- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows 10 update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
You can use Group Policy settings, mobile device management (MDM), or Registry (not recommended) to configure when devices will restart after a Windows update is installed. You can schedule update installation and set policies for restart, configure active hours for when restarts will not occur, or you can do both.
## Schedule update installation
@ -100,15 +101,27 @@ To configure active hours max range through MDM, use [**Update/ActiveHoursMaxRan
## Limit restart delays
After an update is installed, Windows 10 attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
After an update is installed, Windows attempts automatic restart outside of active hours. If the restart does not succeed after seven days (by default), the user will see a notification that restart is required. You can use the **Specify deadline before auto-restart for update installation** policy to change the delay from seven days to any number of days between two and 14.
## Control restart notifications
In Windows 10, version 1703, we have added settings to control restart notifications for users.
### Display options for update notifications
Starting in Windows 10 version 1809, you can define which Windows Update notifications are displayed to the user. This policy doesn't control how and when updates are downloaded and installed. You can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br>
**2** - Turn off all notifications, including restart warnings </br>
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-configuration-service-provider#update-updatenotificationlevel).
Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
To configure this behavior through MDM, use [**Update/UpdateNotificationLevel**](/windows/client-management/mdm/policy-csp-update#update-NoUpdateNotificationDuringActiveHours).
### Auto-restart notifications
Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically.
Administrators can override the default behavior for the auto-restart required notification. By default, this notification will dismiss automatically. This setting was added in Windows 10, version 1703.
To configure this behavior through Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and select **Configure auto-restart required notification for updates**. When configured to **2 - User Action**, a user that gets this notification must manually dismiss it.
@ -198,10 +211,10 @@ There are three different registry combinations for controlling restart behavior
## Related articles
- [Update Windows 10 in the enterprise](index.md)
- [Update Windows in the enterprise](index.md)
- [Overview of Windows as a service](waas-overview.md)
- [Configure Delivery Optimization for Windows 10 updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Delivery Optimization for Windows updates](../do/waas-delivery-optimization.md)
- [Configure BranchCache for Windows updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)

40
windows/deployment/update/waas-wu-settings.md
View File

@ -3,12 +3,12 @@ title: Manage additional Windows Update settings
description: In this article, learn about additional settings to control the behavior of Windows Update.
ms.prod: w10
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
manager: dougeby
author: mestew
ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
date: 09/22/2022
---
# Manage additional Windows Update settings
@ -36,6 +36,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
| [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location) | [AllowNonMicrosoftSignedUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | All |
| [Do not include drivers with Windows Updates](#do-not-include-drivers-with-windows-updates) | [ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | 1607 |
| [Configure Automatic Updates](#configure-automatic-updates) | [AllowAutoUpdate](/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | All |
| | [Windows Update notifications display organization name](#bkmk_display-name) </br></br> *Organization name is displayed by default. A registry value can disable this behavior. | Windows 11 devices that are Azure Active Directory joined or registered <!--6286260-->|
>[!IMPORTANT]
>Additional information about settings to manage device restarts and restart notifications for updates is available on **[Manage device restarts after updates](waas-restart.md)**.
@ -230,7 +231,7 @@ To do this, follow these steps:
> [!NOTE]
> This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions.
To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance.
To use Automatic Updates with a server that is running Windows Software Update Services (WSUS), see the [Deploying Microsoft Windows Server Update Services](/windows-server/administration/windows-server-update-services/deploy/deploy-windows-server-update-services) guidance.
When you configure Automatic Updates directly by using the policy registry keys, the policy overrides the preferences that are set by the local administrative user to configure the client. If an administrator removes the registry keys at a later date, the preferences that were set by the local administrative user are used again.
@ -246,3 +247,32 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
* WUStatusServer (REG_SZ)
This value sets the SUS statistics server by HTTP name (for example, http://IntranetSUS).
## <a name="bkmk_display-name"> </a> Display organization name in Windows Update notifications
<!--6286260-->
When Windows 11 clients are associated with an Azure AD tenant, the organization name appears in the Windows Update notifications. For instance, when you have a compliance deadline configured for Windows Update for Business, the user notification will display a message similar to **Contoso requires important updates to be installed**. The organization name will also display on the **Windows Update** page in the **Settings** for Windows 11.
The organization name appears automatically for Windows 11 clients that are associated with Azure AD in any of the following ways:
- [Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join)
- [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register)
- [Hybrid Azure AD joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
To disable displaying the organization name in Windows Update notifications, add or modify the following in the registry:
- **Registry key**: `HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations`
- **DWORD value name**: UsoDisableAADJAttribution
- **Value data:** 1
The following PowerShell script is provided as an example to you:
```powershell
$registryPath = "HKLM:\Software\Microsoft\WindowsUpdate\Orchestrator\Configurations"
$Name = "UsoDisableAADJAttribution"
$value = "1"
if (!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
}
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
```

12
windows/deployment/update/waas-wufb-group-policy.md
View File

@ -178,12 +178,14 @@ There are additional settings that affect the notifications.
We recommend that you use the default notifications as they aim to provide the best user experience while adjusting for the compliance policies that you have set. If you do have further needs that are not met by the default notification settings, you can use **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Display options for update notifications** with these values:
**0** (default) Use the default Windows Update notifications
**1** Turn off all notifications, excluding restart warnings
**2** Turn off all notifications, including restart warnings
**0** (default) - Use the default Windows Update notifications </br>
**1** - Turn off all notifications, excluding restart warnings </br>
**2** - Turn off all notifications, including restart warnings </br>
> [!NOTE]
> Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
Option **2** creates a poor experience for personal devices; it's only recommended for kiosk devices where automatic restarts have been disabled.
> [!NOTE]
> Starting in Windows 11, version 22H2, **Apply only during active hours** was added as an additional option for **Display options for update notifications**. When **Apply only during active hours** is selected, the notifications will only be disabled during active hours when options `1` or `2` are used. To ensure that the device stays updated, a notification will still be shown during active hours if **Apply only during active hours** is selected, and once a deadline has been reached when [Specify deadlines for automatic updates and restarts](wufb-compliancedeadlines.md) is configured. <!--6286260-->
Still more options are available in **Computer Configuration > Administrative Templates > Windows Components > Windows Update > Configure auto-restart restart warning notifications schedule for updates**. This setting allows you to specify the period for auto-restart warning reminder notifications (from 2-24 hours; 4 hours is the default) before the update and to specify the period for auto-restart imminent warning notifications (15-60 minutes is the default). We recommend using the default notifications.

2
windows/hub/index.yml
View File

@ -105,7 +105,7 @@ conceptualContent:
- url: /windows/configuration/provisioning-packages/provisioning-packages
itemType: how-to-guide
text: Use Provisioning packages to configure new devices
- url: /windows/configuration/windows-10-accessibility-for-itpros
- url: /windows/configuration/windows-accessibility-for-itpros
itemType: overview
text: Accessibility information for IT Pros
- url: /windows/configuration/customize-start-menu-layout-windows-11

85
windows/security/TOC.yml
View File

@ -5,13 +5,19 @@
href: zero-trust-windows-device-health.md
expanded: true
- name: Hardware security
items:
items:
- name: Overview
href: hardware.md
- name: Microsoft Pluton security processor
items:
- name: Microsoft Pluton overview
href: information-protection/pluton/microsoft-pluton-security-processor.md
- name: Microsoft Pluton as TPM
href: information-protection/pluton/pluton-as-tpm.md
- name: Trusted Platform Module
href: information-protection/tpm/trusted-platform-module-top-node.md
items:
- name: Trusted Platform Module Overview
items:
- name: Trusted Platform Module overview
href: information-protection/tpm/trusted-platform-module-overview.md
- name: TPM fundamentals
href: information-protection/tpm/tpm-fundamentals.md
@ -32,16 +38,16 @@
- name: System Guard Secure Launch and SMM protection
href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- name: Enable virtualization-based protection of code integrity
href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
- name: Kernel DMA Protection
href: information-protection/kernel-dma-protection-for-thunderbolt.md
- name: Windows secured-core devices
href: /windows-hardware/design/device-experiences/oem-highly-secure
- name: Operating system security
items:
items:
- name: Overview
href: operating-system.md
- name: System security
- name: System security
items:
- name: Secure the Windows boot process
href: information-protection/secure-the-windows-10-boot-process.md
@ -70,19 +76,19 @@
href: threat-protection/security-policy-settings/security-policy-settings.md
- name: Security auditing
href: threat-protection/auditing/security-auditing-overview.md
- name: Encryption and data protection
- name: Encryption and data protection
href: encryption-data-protection.md
items:
- name: Encrypted Hard Drive
href: information-protection/encrypted-hard-drive.md
- name: BitLocker
- name: BitLocker
href: information-protection/bitlocker/bitlocker-overview.md
items:
items:
- name: Overview of BitLocker Device Encryption in Windows
href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
- name: BitLocker frequently asked questions (FAQ)
href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
items:
items:
- name: Overview and requirements
href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
- name: Upgrading
@ -128,7 +134,7 @@
- name: Protecting cluster shared volumes and storage area networks with BitLocker
href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
- name: Troubleshoot BitLocker
items:
items:
- name: Troubleshoot BitLocker
href: information-protection/bitlocker/troubleshoot-bitlocker.md
- name: "BitLocker cannot encrypt a drive: known issues"
@ -142,20 +148,28 @@
- name: "BitLocker configuration: known issues"
href: information-protection/bitlocker/ts-bitlocker-config-issues.md
- name: Troubleshoot BitLocker and TPM issues
items:
items:
- name: "BitLocker cannot encrypt a drive: known TPM issues"
href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
- name: "BitLocker and TPM: other known issues"
href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
- name: Decode Measured Boot logs to track PCR changes
href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
- name: Personal Data Encryption (PDE)
items:
- name: Personal Data Encryption (PDE) overview
href: information-protection/personal-data-encryption/overview-pde.md
- name: Personal Data Encryption (PDE) (FAQ)
href: information-protection/personal-data-encryption/faq-pde.yml
- name: Configure Personal Data Encryption (PDE) in Intune
href: information-protection/personal-data-encryption/configure-pde-in-intune.md
- name: Configure S/MIME for Windows
href: identity-protection/configure-s-mime.md
href: identity-protection/configure-s-mime.md
- name: Network security
items:
- name: VPN technical guide
href: identity-protection/vpn/vpn-guide.md
items:
items:
- name: VPN connection types
href: identity-protection/vpn/vpn-connection-type.md
- name: VPN routing decisions
@ -182,13 +196,13 @@
href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows security baselines
href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
items:
items:
- name: Security Compliance Toolkit
href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
- name: Get support
href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
- name: Virus & threat protection
items:
items:
- name: Overview
href: threat-protection/index.md
- name: Microsoft Defender Antivirus
@ -206,7 +220,7 @@
- name: Microsoft Defender for Endpoint
href: /microsoft-365/security/defender-endpoint
- name: More Windows security
items:
items:
- name: Override Process Mitigation Options to help enforce app-related security policies
href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
- name: Use Windows Event Forwarding to help with intrusion detection
@ -215,13 +229,13 @@
href: threat-protection/block-untrusted-fonts-in-enterprise.md
- name: Windows Information Protection (WIP)
href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
items:
items:
- name: Create a WIP policy using Microsoft Intune
href: information-protection/windows-information-protection/overview-create-wip-policy.md
items:
items:
- name: Create a WIP policy in Microsoft Intune
href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
items:
items:
- name: Deploy your WIP policy in Microsoft Intune
href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
- name: Associate and deploy a VPN policy for WIP in Microsoft Intune
@ -232,7 +246,7 @@
href: information-protection/windows-information-protection/wip-app-enterprise-context.md
- name: Create a WIP policy using Microsoft Endpoint Configuration Manager
href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
items:
items:
- name: Create and deploy a WIP policy in Configuration Manager
href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
- name: Create and verify an EFS Data Recovery Agent (DRA) certificate
@ -249,7 +263,7 @@
href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
- name: General guidance and best practices for WIP
href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
items:
items:
- name: Enlightened apps for use with WIP
href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
- name: Unenlightened and enlightened app behavior while using WIP
@ -274,17 +288,20 @@
href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: Windows Sandbox
href: threat-protection/windows-sandbox/windows-sandbox-overview.md
items:
items:
- name: Windows Sandbox architecture
href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- name: Microsoft Defender SmartScreen overview
href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
items:
- name: Enhanced Phishing Protection in Microsoft Defender SmartScreen
href: threat-protection\microsoft-defender-smartscreen\phishing-protection-microsoft-defender-smartscreen.md
- name: Configure S/MIME for Windows
href: identity-protection\configure-s-mime.md
- name: Windows Credential Theft Mitigation Guide Abstract
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
- name: User security and secured identity
items:
- name: Overview
@ -297,7 +314,7 @@
href: identity-protection/enterprise-certificate-pinning.md
- name: Protect derived domain credentials with Credential Guard
href: identity-protection/credential-guard/credential-guard.md
items:
items:
- name: How Credential Guard works
href: identity-protection/credential-guard/credential-guard-how-it-works.md
- name: Credential Guard Requirements
@ -322,12 +339,12 @@
href: identity-protection/password-support-policy.md
- name: Access Control Overview
href: identity-protection/access-control/access-control.md
items:
items:
- name: Local Accounts
href: identity-protection/access-control/local-accounts.md
- name: User Account Control
href: identity-protection/user-account-control/user-account-control-overview.md
items:
items:
- name: How User Account Control works
href: identity-protection/user-account-control/how-user-account-control-works.md
- name: User Account Control security policy settings
@ -336,10 +353,10 @@
href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
- name: Smart Cards
href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
items:
items:
- name: How Smart Card Sign-in Works in Windows
href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
items:
items:
- name: Smart Card Architecture
href: identity-protection/smart-cards/smart-card-architecture.md
- name: Certificate Requirements and Enumeration
@ -354,7 +371,7 @@
href: identity-protection/smart-cards/smart-card-removal-policy-service.md
- name: Smart Card Tools and Settings
href: identity-protection/smart-cards/smart-card-tools-and-settings.md
items:
items:
- name: Smart Cards Debugging Information
href: identity-protection/smart-cards/smart-card-debugging-information.md
- name: Smart Card Group Policy and Registry Settings
@ -363,10 +380,10 @@
href: identity-protection/smart-cards/smart-card-events.md
- name: Virtual Smart Cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
items:
items:
- name: Understanding and Evaluating Virtual Smart Cards
href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
items:
items:
- name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
- name: Use Virtual Smart Cards
@ -388,7 +405,7 @@
- name: Azure Virtual Desktop
href: /azure/virtual-desktop/
- name: Security foundations
items:
items:
- name: Overview
href: security-foundations.md
- name: Microsoft Security Development Lifecycle

26
windows/security/encryption-data-protection.md
View File

@ -2,17 +2,17 @@
title: Encryption and data protection in Windows
description: Get an overview encryption and data protection in Windows 11 and Windows 10
search.appverid: MET150
author: denisebmsft
ms.author: deniseb
manager: dansimp
ms.topic: conceptual
ms.date: 09/08/2021
ms.prod: m365-security
ms.technology: windows-sec
author: frankroj
ms.author: frankroj
manager: aaroncz
ms.topic: overview
ms.date: 09/22/2022
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection:
ms.custom:
ms.reviewer: deepakm, rafals
ms.reviewer: rafals
---
# Encryption and data protection in Windows client
@ -32,8 +32,8 @@ Encrypted hard drives provide:
- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
- Ease of use: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there's no need to re-encrypt data on the drive.
- Lower cost of ownership: There's no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles don't need to be used for the encryption process.
Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
@ -45,8 +45,14 @@ BitLocker provides encryption for the operating system, fixed data, and removabl
Windows consistently improves data protection by improving existing options and providing new strategies.
## Personal Data Encryption (PDE)
<!-- Max 5963468 OS 32516487 -->
(*Applies to: Windows 11, version 22H2 and later*)
[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)]
## See also
- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md)

20
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -5,7 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
@ -22,6 +22,24 @@ appliesto:
- ✅ <b>Windows Server 2022</b>
---
# Manage Windows Defender Credential Guard
## Default Enablement
Starting with Windows 11 Enterprise 22H2, compatible systems have Windows Defender Credential Guard turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state. Windows Defender Credential Guard can still be manually [enabled](#enable-windows-defender-credential-guard) or [disabled](#disable-windows-defender-credential-guard) via the methods documented below.
### Requirements for automatic enablement
Windows Defender Credential Guard will be enabled by default when a PC meets the following minimum requirements:
|Component|Requirement|
|---|---|
|Operating System|Windows 11 Enterprise 22H2|
|Existing Windows Defender Credential Guard Requirements|Only devices which meet the [existing hardware and software requirements](credential-guard-requirements.md#hardware-and-software-requirements) to run Windows Defender Credential Guard will have it enabled by default.|
|Virtualization-based Security (VBS) Requirements|VBS must be enabled in order to run Windows Defender Credential Guard. Starting with Windows 11 Enterprise 22H2, devices that meet the requirements to run Windows Defender Credential Guard as well as the [minimum requirements to enable VBS](/windows-hardware/design/device-experiences/oem-vbs) will have both Windows Defender Credential Guard and VBS enabled by default.
> [!NOTE]
> If Windows Defender Credential Guard or VBS has previously been explicitly disabled, default enablement will not overwrite this setting.
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.

9
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -5,7 +5,7 @@ ms.prod: m365-security
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer: erikdau
ms.reviewer: zwhittington
manager: aaroncz
ms.collection:
- M365-identity-device-management
@ -58,8 +58,8 @@ For information about Windows Defender Remote Credential Guard hardware and soft
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
> [!WARNING]
> Enabling Windows Defender Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
> Enabling Windows Defender Credential Guard on domain controllers is not recommended at this time.
> Windows Defender Credential Guard does not provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.
> [!NOTE]
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
@ -103,9 +103,6 @@ The following tables describe baseline protections, plus protections for improve
|Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
> [!IMPORTANT]
> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.

167
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -26,12 +26,12 @@ The goal of the Windows Hello for Business cloud Kerberos trust is to bring the
Windows Hello for Business cloud Kerberos trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup.
- Windows Hello for Business cloud Kerberos trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI
- Cloud Kerberos trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate
- Deploying Windows Hello for Business cloud Kerberos trust enables you to also deploy passwordless security keys with minimal extra setup
> [!NOTE]
> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
> Windows Hello for Business cloud Kerberos trust is recommended instead of key trust if you meet the prerequisites to deploy cloud Kerberos trust. Cloud Kerberos trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
## Azure Active Directory Kerberos and Cloud Kerberos Trust Authentication
@ -50,7 +50,7 @@ If you're using the hybrid cloud Kerberos trust deployment model, you _must_ ens
| Requirement | Notes |
| --- | --- |
| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Patched Windows 10, version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
| Device management | Windows Hello for Business cloud Kerberos trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
@ -85,9 +85,82 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl
### Configure Windows Hello for Business Policy
After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled using policy. By default, cloud Kerberos trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices.
After setting up the Azure AD Kerberos Object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO).
#### Configure Using Group Policy
#### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune)
Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
### Create a user Group that will be targeted for Windows Hello for Business
If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/)
1. Browse to **Groups** and select **New group**
1. Configure the following group settings:
1. Group type: **Security**
1. Group name: *WHFB cloud Kerberos trust users* or a group name of your choosing
1. Membership type: **Assigned**
1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust
You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center
### Enable Windows Hello for Business
If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business".
1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**.
1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**.
[![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox)
1. Select Next to move to **Assignments**.
1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
### Configure Cloud Kerberos Trust policy
To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Custom** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
1. In Configuration Settings, add a new configuration with the following settings:
| Setting |
|--------|
| <ul><li>Name: **Windows Hello for Business cloud Kerberos trust** or another familiar name</li><li>Description (optional): *Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO*</li><li>OMA-URI: **`./Device/Vendor/MSFT/PassportForWork/`*\<tenant ID>*`/Policies/UseCloudTrustForOnPremAuth`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li></ul>|
>[!IMPORTANT]
>*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
[![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
1. Select Next to navigate to **Assignments**.
1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be *WHFB cloud Kerberos trust users* or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
> [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
#### [:::image type="icon" source="../../images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
@ -100,13 +173,13 @@ cloud Kerberos trust requires setting a dedicated policy for it to be enabled. T
> [!NOTE]
> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
##### Update Group Policy Objects
#### Update Group Policy Objects
You may need to update your Group Policy definitions to be able to configure the cloud Kerberos trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud Kerberos trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
##### Create the Windows Hello for Business Group Policy object
#### Create the Windows Hello for Business Group Policy object
Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
@ -126,81 +199,7 @@ This group policy should be targeted at the computer group that you've created f
> [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
#### Configure Using Intune
Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
The cloud Kerberos trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
##### Create a user Group that will be targeted for Windows Hello for Business
If you have an existing group you want to target with Windows Hello for Business cloud Kerberos trust policy, you can skip this step.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to **Groups** and select **New group**.
1. Configure the following group settings:
1. Group type: "Security"
1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing
1. Membership type: Assigned
1. Select **Members** and add users that you want to target with Windows Hello for Business cloud Kerberos trust.
You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center.
##### Enable Windows Hello for Business
If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud Kerberos trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business".
1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**.
1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**.
[![Intune custom device configuration policy creation](./images/hello-intune-enable.png)](./images/hello-intune-enable-large.png#lightbox)
1. Select Next to move to **Assignments**.
1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
##### Configure Cloud Kerberos Trust policy
To configure the cloud Kerberos trust policy, follow the steps below:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
1. Browse to Devices > Windows > Configuration Profiles > Create profile.
1. For Platform, select Windows 10 and later.
1. For Profile Type, select **Templates** and select the **Custom** Template.
1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud Kerberos trust".
1. In Configuration Settings, add a new configuration with the following settings:
- Name: "Windows Hello for Business cloud Kerberos trust" or another familiar name
- Description: Enable Windows Hello for Business cloud Kerberos trust for sign-in and on-premises SSO.
- OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth
>[!IMPORTANT]
>*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
- Data type: Boolean
- Value: True
[![Intune custom-device configuration policy creation](./images/hello-cloud-trust-intune.png)](./images/hello-cloud-trust-intune-large.png#lightbox)
1. Select Next to navigate to **Assignments**.
1. Under Included groups, select **Add groups**.
1. Select the user group you would like to use Windows Hello for Business cloud Kerberos trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
1. Select Next to move to the Applicability Rules.
1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
> [!Important]
> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud Kerberos trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud Kerberos trust have this policy not configured or disabled.
---
## Provisioning

32
windows/security/identity-protection/hello-for-business/webauthn-apis.md
View File

@ -9,16 +9,18 @@ ms.reviewer: prsriva
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 08/30/2022
ms.date: 09/15/2022
appliesto:
- ✅ <b>Windows 10</b>
- ✅ <b>Windows 11</b>
---
# WebAuthn APIs for passwordless authentication on Windows
<!--MAXADO-6021798-->
Passwords can leave your customers vulnerable to data breaches and security attacks by malicious users.
Microsoft has long been a proponent of passwordless authentication, and introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903).
Microsoft has long been a proponent of passwordless authentication, and has introduced the W3C/Fast IDentity Online 2 (FIDO2) Win32 WebAuthn platform APIs in Windows 10 (version 1903).
Starting in **Windows 11, version 22H2**, WebAuthn APIs support ECC algorithms.
## What does this mean?
@ -29,11 +31,11 @@ Users of these apps or sites can use any browser that supports WebAuthn APIs for
Developers should use the WebAuthn APIs to support FIDO2 authentication keys in a consistent way for users. Additionally, developers can use all the transports that are available per FIDO2 specifications (USB, NFC, and BLE) while avoiding the interaction and management overhead.
> [!NOTE]
> When these APIs are in use, Windows 10 browsers or apps don't have direct access to the FIDO2 transports for FIDO-related messaging.
> When these APIs are in use, Windows 10 browsers or applications don't have direct access to the FIDO2 transports for FIDO-related messaging.
## The big picture
Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators).
The Client to Authenticator Protocol 2 (CTAP2) and WebAuthn define an abstraction layer that creates an ecosystem for strongly authenticated credentials. In this ecosystem, any interoperable client (such as a native app or browser) that runs on a given client device uses a standardized method to interact with any interoperable authenticator. Interoperable authenticators include authenticators that are built into the client device (platform authenticators) and authenticators that connect to the client device by using USB, BLE, or NFC connections (roaming authenticators).
The authentication process starts when the user makes a specific user gesture that indicates consent for the operation. At the request of the client, the authenticator securely creates strong cryptographic keys and stores them locally.
@ -56,30 +58,30 @@ A combined WebAuthn/CTAP2 dance includes the following cast of characters:
- As a relying party, a web application can't directly interact with the WebAuthn API. The relying party must broker the deal through the browser.
> [!NOTE]
> The preceding diagram doesn't depict single sign-on authentication. Be careful not to confuse FIDO relying parties with federated relying parties.
> The preceding diagram doesn't depict Single Sign-On (SSO) authentication. Be careful not to confuse FIDO relying parties with federated relying parties.
- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request that the authenticator create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on.
- **WebAuthn API**. The *WebAuthn API* enables clients to make requests to authenticators. The client can request the authenticator to create a key, provide an assertion about a key, report capabilities, manage a PIN, and so on.
- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions of the preceding diagram may differ.
- **CTAP2 platform/host**. The *platform* (also called the host in the CTAP2 spec) is the part of the client device that negotiates with authenticators. The platform is responsible for securely reporting the origin of the request and for calling the CTAP2 Concise Binary Object Representation (CBOR) APIs. If the platform isn't CTAP2-aware, the clients themselves take on more of the burden. In this case, the components and interactions shown in the preceding diagram may differ.
- **Platform authenticator**. A *platform authenticator* usually resides on a client device. Examples of platform authenticators include fingerprint recognition technology that uses a built-in laptop fingerprint reader and facial recognition technology that uses a built-in smartphone camera. Cross-platform transport protocols such as USB, NFC or BLE can't access platform authenticators.
- **Roaming authenticator**. A *roaming authenticator* can connect to multiple client devices. Client devices must use a supported transport protocol to negotiate interactions. Examples of roaming authenticators include USB security keys, BLE-enabled smartphone applications, and NFC-enabled proximity cards. Roaming authenticators can support CTAP1, CTAP2, or both protocols.
Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile app.
Many relying parties and clients can interact with many authenticators on a single client device. A user can install multiple browsers that support WebAuthn, and might simultaneously have access to a built-in fingerprint reader, a plugged-in security key, and a BLE-enabled mobile application.
## Interoperability
Before there was WebAuthn and CTAP2, there was U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality.
Before WebAuthn and CTAP2, there were U2F and CTAP1. U2F is the FIDO Alliance universal second-factor specification. There are many authenticators that speak CTAP1 and manage U2F credentials. WebAuthn was designed to be interoperable with CTAP1 Authenticators. A relying party that uses WebAuthn can still use U2F credentials if the relying party doesn't require FIDO2-only functionality.
FIDO2 authenticators have already implemented and WebAuthn relying parties might require the following optional features:
FIDO2 authenticators have already been implemented and WebAuthn relying parties might require the following optional features:
- Keys for multiple accounts (keys can be stored per relying party)
- Client PIN
- Location (the authenticator returns a location)
- [Hash-based Message Authentication Code (HMAC)-secret](/dotnet/api/system.security.cryptography.hmac) (enables offline scenarios)
The following options and might be useful in the future, but haven't been observed in the wild yet:
The following options might be useful in the future, but haven't been observed in the wild yet:
- Transactional approval
- User verification index (servers can determine whether biometric data that's stored locally has changed over time)
@ -105,18 +107,18 @@ Here's an approximate layout of where the Microsoft bits go:
> [!IMPORTANT]
> Because Microsoft Account requires features and extensions that are unique to FIDO2 CTAP2 authenticators, it doesn't accept CTAP1 (U2F) credentials.
- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
- **WebAuthn client: Microsoft Edge**. Microsoft Edge can handle the user interface for the WebAuthn and CTAP2 features that this article describes. It also supports the AppID extension. Microsoft Edge can interact with both CTAP1 and CTAP2 authenticators. This scope for interaction means that it can create and use both U2F and FIDO2 credentials. However, Microsoft Edge doesn't speak the U2F protocol. Therefore, relying parties must use only the WebAuthn specification. Microsoft Edge on Android doesn't support WebAuthn.
> [!NOTE]
> For authoritative information about Microsoft Edge support for WebAuthn and CTAP, see [Legacy Microsoft Edge developer documentation](/microsoft-edge/dev-guide/windows-integration/web-authentication).
- **Platform: Windows 10, Windows 11**. Windows 10 and Windows 11 host the Win32 Platform WebAuthn APIs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. That's because there's already a strong ecosystem of products that specialize in strong authentication, and every one of our customers (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. To see the ever-growing list of FIDO2 certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
- **Roaming Authenticators**. You might notice that there's no *Microsoft* roaming authenticator. The reason is because there's already a strong ecosystem of products that specialize in strong authentication, and every customer (whether corporations or individuals) has different requirements for security, ease of use, distribution, and account recovery. For more information on the ever-growing list of FIDO2-certified authenticators, see [FIDO Certified Products](https://fidoalliance.org/certification/fido-certified-products/). The list includes built-in authenticators, roaming authenticators, and even chip manufacturers who have certified designs.
## Developer references
The WebAuthn APIs are documented in the [Microsoft/webauthn](https://github.com/Microsoft/webauthn) GitHub repo. To understand how FIDO2 authenticators work, review the following two specifications:
- [Web Authentication: An API for accessing Public Key Credentials](https://www.w3.org/TR/webauthn/) (available on the W3C site). This document is known as the WebAuthn spec.
- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.
- [Client to Authenticator Protocol (CTAP)](https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html). This document is available at the [FIDO Alliance](http://fidoalliance.org/) site, on which hardware and platform teams are working together to solve the problem of FIDO authentication.

3
windows/security/images/icons/accessibility.svg Normal file
View File

@ -0,0 +1,3 @@
<svg width="18" height="18" viewBox="0 0 18 18" fill="none" xmlns="http://www.w3.org/2000/svg">
<path d="M6.75001 3.25C6.75001 2.55964 7.30966 2 8.00001 2C8.69037 2 9.25001 2.55964 9.25001 3.25C9.25001 3.94036 8.69037 4.5 8.00001 4.5C7.30966 4.5 6.75001 3.94036 6.75001 3.25ZM8.00001 1C6.75737 1 5.75001 2.00736 5.75001 3.25C5.75001 3.42769 5.77061 3.60057 5.80955 3.76638L4.1981 3.11531C3.38523 2.78689 2.45661 3.17707 2.12226 3.98751C1.78682 4.8006 2.17658 5.72824 2.9921 6.05773L5 6.86897L5 9.25304L3.18661 12.6635C2.77397 13.4396 3.06858 14.4032 3.84463 14.8158C4.62069 15.2285 5.58431 14.9339 5.99695 14.1578L8.00028 10.3901L10.0037 14.158C10.4163 14.934 11.3799 15.2286 12.156 14.816C12.9321 14.4034 13.2267 13.4397 12.814 12.6637L11 9.252V6.86897L13.0079 6.05773C13.8234 5.72824 14.2132 4.80059 13.8777 3.98751C13.5434 3.17707 12.6148 2.78689 11.8019 3.11531L10.1905 3.76636C10.2294 3.60055 10.25 3.42768 10.25 3.25C10.25 2.00736 9.24265 1 8.00001 1ZM3.04668 4.36889C3.17149 4.06635 3.52005 3.91989 3.82349 4.04249L7.25078 5.42721C7.73138 5.62138 8.2686 5.62138 8.74921 5.42721L12.1765 4.04249C12.4799 3.91989 12.8285 4.06635 12.9533 4.36889C13.077 4.66879 12.9341 5.00902 12.6333 5.13055L10.6254 5.94179C10.2474 6.09449 10 6.46133 10 6.86897V9.252C10 9.41571 10.0402 9.57692 10.1171 9.72147L11.9311 13.1332C12.0844 13.4216 11.9749 13.7797 11.6865 13.9331C11.3981 14.0864 11.04 13.9769 10.8866 13.6885L8.88322 9.92064C8.50711 9.21327 7.49344 9.21326 7.11733 9.92064L5.114 13.6883C4.96065 13.9768 4.60252 14.0863 4.31411 13.9329C4.02569 13.7795 3.9162 13.4214 4.06955 13.133L5.88295 9.72251C5.9598 9.57796 6 9.41675 6 9.25304V6.86897C6 6.46133 5.75256 6.09449 5.3746 5.94179L3.3667 5.13055C3.06591 5.00902 2.92295 4.66879 3.04668 4.36889Z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB

3
windows/security/images/icons/group-policy.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
<path d="M1792 0q53 0 99 20t82 55 55 81 20 100q0 53-20 99t-55 82-81 55-100 20h-128v1280q0 53-20 99t-55 82-81 55-100 20H256q-53 0-99-20t-82-55-55-81-20-100q0-53 20-99t55-82 81-55 100-20V256q0-53 20-99t55-82 81-55T512 0h1280zM128 1792q0 27 10 50t27 40 41 28 50 10h930q-34-60-34-128t34-128H256q-27 0-50 10t-40 27-28 41-10 50zm1280 128q27 0 50-10t40-27 28-41 10-50V256q0-68 34-128H512q-27 0-50 10t-40 27-28 41-10 50v1280h1024q26 0 45 19t19 45q0 26-19 45t-45 19q-25 0-49 9t-42 28q-18 18-27 42t-10 49q0 27 10 50t27 40 41 28 50 10zm384-1536q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10q-27 0-50 10t-40 27-28 41-10 50v128h128zm-1280 0h896v128H512V384zm0 256h256v128H512V640zm0 256h256v128H512V896zm0 256h256v128H512v-128zm640-512q53 0 99 20t82 55 55 81 20 100q0 17-4 33t-4 31v539l-248-124-248 124V960q0-14-4-30t-4-34q0-53 20-99t55-82 81-55 100-20zm0 128q-27 0-50 10t-40 27-28 41-10 50q0 27 10 50t27 40 41 28 50 10q27 0 50-10t40-27 28-41 10-50q0-27-10-50t-27-40-41-28-50-10zm136 549v-204q-30 20-65 29t-71 10q-36 0-71-9t-65-30v204l136-68 136 68z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.1 KiB

24
windows/security/images/icons/intune.svg Normal file
View File

@ -0,0 +1,24 @@
<svg id="a9ed4d43-c916-4b9a-b9ca-be76fbdc694c" xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="aaede26b-698f-4a65-b6db-859d207e2da6" x1="8.05" y1="11.32" x2="8.05" y2="1.26" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#0078d4" />
<stop offset="0.82" stop-color="#5ea0ef" />
</linearGradient>
<linearGradient id="bc54987f-34ba-4701-8ce4-6eca10aff9e9" x1="8.05" y1="15.21" x2="8.05" y2="11.32" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#1490df" />
<stop offset="0.98" stop-color="#1f56a3" />
</linearGradient>
<linearGradient id="a5434fd8-c18c-472c-be91-f2aa070858b7" x1="8.05" y1="7.87" x2="8.05" y2="4.94" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#d2ebff" />
<stop offset="1" stop-color="#f0fffd" />
</linearGradient>
</defs>
<title>Icon-intune-329</title>
<rect x="0.5" y="1.26" width="15.1" height="10.06" rx="0.5" fill="url(#aaede26b-698f-4a65-b6db-859d207e2da6)" />
<rect x="1.34" y="2.1" width="13.42" height="8.39" rx="0.28" fill="#fff" />
<path d="M11.08,14.37c-1.5-.23-1.56-1.31-1.55-3h-3c0,1.74-.06,2.82-1.55,3a.87.87,0,0,0-.74.84h7.54A.88.88,0,0,0,11.08,14.37Z" fill="url(#bc54987f-34ba-4701-8ce4-6eca10aff9e9)" />
<path d="M17.17,5.91H10.29a2.31,2.31,0,1,0,0,.92H11v9.58a.33.33,0,0,0,.33.33h5.83a.33.33,0,0,0,.33-.33V6.24A.33.33,0,0,0,17.17,5.91Z" fill="#32bedd" />
<rect x="11.62" y="6.82" width="5.27" height="8.7" rx="0.12" fill="#fff" />
<circle cx="8.05" cy="6.41" r="1.46" opacity="0.9" fill="url(#a5434fd8-c18c-472c-be91-f2aa070858b7)" />
<path d="M14.88,10.82,13.76,9.7a.06.06,0,0,0-.1.05v.68a.06.06,0,0,1-.06.06H11v.83H13.6a.06.06,0,0,1,.06.06v.69a.06.06,0,0,0,.1,0L14.88,11A.12.12,0,0,0,14.88,10.82Z" fill="#0078d4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

20
windows/security/images/icons/powershell.svg Normal file
View File

@ -0,0 +1,20 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="a24f9983-911f-4df7-920f-f964c8c10f82" x1="9" y1="15.834" x2="9" y2="5.788" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#32bedd" />
<stop offset="0.175" stop-color="#32caea" />
<stop offset="0.41" stop-color="#32d2f2" />
<stop offset="0.775" stop-color="#32d4f5" />
</linearGradient>
</defs>
<title>MsPortalFx.base.images-10</title>
<g id="a7ef0482-71f2-4b7e-b916-b1c754245bf1">
<g>
<path d="M.5,5.788h17a0,0,0,0,1,0,0v9.478a.568.568,0,0,1-.568.568H1.068A.568.568,0,0,1,.5,15.266V5.788A0,0,0,0,1,.5,5.788Z" fill="url(#a24f9983-911f-4df7-920f-f964c8c10f82)" />
<path d="M1.071,2.166H16.929a.568.568,0,0,1,.568.568V5.788a0,0,0,0,1,0,0H.5a0,0,0,0,1,0,0V2.734A.568.568,0,0,1,1.071,2.166Z" fill="#0078d4" />
<path d="M4.292,7.153h.523a.167.167,0,0,1,.167.167v3.858a.335.335,0,0,1-.335.335H4.125a0,0,0,0,1,0,0V7.321a.167.167,0,0,1,.167-.167Z" transform="translate(-5.271 5.967) rotate(-45.081)" fill="#f2f2f2" />
<path d="M4.32,9.647h.523a.167.167,0,0,1,.167.167v4.131a0,0,0,0,1,0,0H4.488a.335.335,0,0,1-.335-.335v-3.8a.167.167,0,0,1,.167-.167Z" transform="translate(-0.504 23.385) rotate(-135.081)" fill="#e6e6e6" />
<rect x="7.221" y="12.64" width="4.771" height="1.011" rx="0.291" fill="#f2f2f2" />
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.4 KiB

3
windows/security/images/icons/provisioning-package.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" width="18" height="18" viewBox="0 0 2048 2048">
<path d="M1544 128q75 0 143 30t120 82 82 120 31 144v328q0 26-19 45t-45 19q-26 0-45-19t-19-45V507q0-50-20-95t-55-80-80-55-96-21H346q16 15 27 28t11 36q0 26-19 45t-45 19q-26 0-45-19L147 237q-19-19-19-45t19-45L275 19q19-19 45-19t45 19 19 45q0 23-11 36t-27 28h1198zm-57 896q0 24 22 43t50 39 50 46 23 63q0 21-12 51t-30 61-37 59-33 44q-31 37-79 37-20 0-42-8t-44-17-41-17-35-8q-15 0-24 6t-14 15-8 20-5 24l-17 91q-6 34-25 52t-45 27-55 10-57 2h-5q-27 0-58-1t-58-11-47-28-26-53l-20-116q-2-14-14-26t-28-12q-20 0-40 7t-42 17-43 17-43 8q-50 0-80-37-14-16-32-43t-35-59-29-61-12-52q0-39 22-64t50-45 49-38 23-43q0-25-22-43t-50-39-50-45-23-64q0-22 12-52t30-60 37-58 33-45q31-37 79-37 20 0 42 7t43 17 40 17 36 8q21 0 32-11t16-30 8-41 7-46 11-45 24-38q12-12 29-19t37-10 40-5 39-1h15q27 0 57 1t58 11 46 28 26 53l20 116q3 18 16 27t31 10q17 0 37-7t41-17 42-17 42-8q23 0 44 10t36 28q14 17 32 44t36 58 29 61 12 52q0 39-22 64t-50 45-49 38-23 43zm-128 0q0-37 12-64t31-50 45-42 52-42q-13-30-29-58t-36-54q-36 13-76 29t-80 16q-24 0-44-6t-42-18q-33-19-51-42t-27-51-13-59-11-67q-16-2-32-3t-33-1q-17 0-33 1t-32 3q-7 35-11 66t-14 58-28 52-51 43q-21 13-41 18t-45 6q-40 0-79-16t-76-30q-38 51-66 112 26 22 51 42t45 42 32 50 12 65q0 37-12 64t-31 50-45 42-52 42q13 30 29 58t36 54q35-13 74-29t79-16q32 0 61 10t52 30 39 46 22 58l17 99q17 2 32 3t33 1q17 0 33-1t33-3q5-30 9-59t13-57 24-52 43-43q23-15 48-23t53-9q18 0 38 5t40 12 39 15 37 14q38-51 66-112-26-22-51-42t-45-42-32-50-12-65zm-207 0q0 27-10 50t-27 40-41 28-50 10q-27 0-50-10t-41-27-27-40-10-51q0-27 10-50t27-40 41-28 50-10q26 0 49 10t41 27 28 41 10 50zm768 832q0 26-19 45l-128 128q-19 19-45 19t-45-19-19-45q0-23 11-36t27-28H504q-75 0-143-30t-120-82-82-120-31-144v-328q0-26 19-45t45-19q26 0 45 19t19 45v325q0 50 20 95t55 80 80 55 96 21h1195q-14-14-26-28t-12-36q0-26 19-45t45-19q26 0 45 19l128 128q19 19 19 45z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.9 KiB

22
windows/security/images/icons/registry.svg Normal file
View File

@ -0,0 +1,22 @@
<svg id="b9b1f1bd-1131-4ac5-b607-ad500ee51398" data-name="fluent_icons" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="18" height="18" viewBox="0 0 18 18">
<defs>
<linearGradient id="b0b22e7a-bfc7-4dec-91e9-5f981ed97407" x1="8.55" y1="0.41" x2="8.48" y2="18.62" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#76bc2d" />
<stop offset="0.32" stop-color="#73b82c" />
<stop offset="0.65" stop-color="#6cab29" />
<stop offset="0.99" stop-color="#5e9724" />
<stop offset="1" stop-color="#5e9624" />
</linearGradient>
<linearGradient id="e827adc5-7c19-488a-9b2c-abb70d46ae5e" x1="14.75" y1="5.9" x2="14.75" y2="1.1" gradientTransform="translate(18.1 -11.21) rotate(90)" gradientUnits="userSpaceOnUse">
<stop offset="0" stop-color="#0078d4" />
<stop offset="0.17" stop-color="#1c84dc" />
<stop offset="0.38" stop-color="#3990e4" />
<stop offset="0.59" stop-color="#4d99ea" />
<stop offset="0.8" stop-color="#5a9eee" />
<stop offset="1" stop-color="#5ea0ef" />
</linearGradient>
</defs>
<title>Icon-general-18</title>
<path d="M6.27,13.29h4.49v4.49H6.27ZM1,3.43V7.3h4.5V2.81H1.65A.63.63,0,0,0,1,3.43ZM1,17.16a.63.63,0,0,0,.63.62H5.52V13.29H1Zm0-4.62h4.5V8.05H1Zm10.49,5.24h3.87a.62.62,0,0,0,.62-.62V13.29H11.51ZM6.27,12.54h4.49V8.05H6.27Zm5.24-4.49v4.49H16V8.05ZM6.27,7.3h4.49V2.81H6.27Z" fill="url(#b0b22e7a-bfc7-4dec-91e9-5f981ed97407)" />
<rect x="12.2" y="1.14" width="4.8" height="4.8" rx="0.25" transform="translate(5.14 15.21) rotate(-64.59)" fill="url(#e827adc5-7c19-488a-9b2c-abb70d46ae5e)" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

3
windows/security/images/icons/windows-os.svg Normal file
View File

@ -0,0 +1,3 @@
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 2048 2048" width="18" height="18" >
<path d="M0 0h961v961H0V0zm1087 0h961v961h-961V0zM0 1087h961v961H0v-961zm1087 0h961v961h-961v-961z" fill="#0078D4" />
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 215 B

BIN
windows/security/information-protection/images/pluton/pluton-firmware-load.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 197 KiB

BIN
windows/security/information-protection/images/pluton/pluton-security-architecture.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

124
windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md Normal file
View File

@ -0,0 +1,124 @@
---
title: Configure Personal Data Encryption (PDE) in Intune
description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 09/22/2022
---
<!-- Max 5963468 OS 32516487 -->
# Configure Personal Data Encryption (PDE) policies in Intune
## Required prerequisites
### Enable Personal Data Encryption (PDE)
1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Custom**, and then select **Create**
7. On the ****Basics** tab:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
8. Select **Next**
9. On the **Configuration settings** tab, select **Add**
10. In the **Add Row** window:
1. Next to **Name**, enter **Personal Data Encryption**
2. Next to **Description**, enter a description
3. Next to **OMA-URI**, enter in **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
4. Next to **Data type**, select **Integer**
5. Next to **Value**, enter in **1**
11. Select **Save**, and then select **Next**
12. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the PDE policy should be deployed to
3. Select **Select**
4. Select **Next**
13. On the **Applicability Rules** tab, configure if necessary and then select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
#### Disable Winlogon automatic restart sign-on (ARSO)
1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Templates**
6. Under **Template name**, select **Administrative templates**, and then select **Create**
7. On the ****Basics** tab:
1. Next to **Name**, enter **Disable ARSO**
2. Next to **Description**, enter a description
8. Select **Next**
9. On the **Configuration settings** tab, under **Computer Configuration**, navigate to **Windows Components** > **Windows Logon Options**
10. Select **Sign-in and lock last interactive user automatically after a restart**
11. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**
12. Select **Next**
13. On the **Scope tags** tab, configure if necessary and then select **Next**
12. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the ARSO policy should be deployed to
3. Select **Select**
4. Select **Next**
13. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
## Recommended prerequisites
#### Disable crash dumps
1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. On the ****Basics** tab:
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
7. Select **Next**
8. On the **Configuration settings** tab, select **Add settings**
9. In the **Settings picker** windows, select **Memory Dump**
10. When the settings appear in the lower pane, under **Setting name**, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change both **Allow Live Dump** and **Allow Crash Dump** to **Block**, and then select **Next**
12. On the **Scope tags** tab, configure if necessary and then select **Next**
13. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the crash dumps policy should be deployed to
3. Select **Select**
4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
#### Disable hibernation
1. Sign into the Intune
2. Navigate to **Devices** > **Configuration Profiles**
3. Select **Create profile**
4. Under **Platform**, select **Windows 10 and later**
5. Under **Profile type**, select **Settings catalog**, and then select **Create**
6. On the ****Basics** tab:
1. Next to **Name**, enter **Disable Hibernation**
2. Next to **Description**, enter a description
7. Select **Next**
8. On the **Configuration settings** tab, select **Add settings**
9. In the **Settings picker** windows, select **Power**
10. When the settings appear in the lower pane, under **Setting name**, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window
11. Change **Allow Hibernate** to **Block**, and then select **Next**
12. On the **Scope tags** tab, configure if necessary and then select **Next**
13. On the **Assignments** tab:
1. Under **Included groups**, select **Add groups**
2. Select the groups that the hibernation policy should be deployed to
3. Select **Select**
4. Select **Next**
14. On the **Review + create** tab, review the configuration to make sure everything is configured correctly, and then select **Create**
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)

74
windows/security/information-protection/personal-data-encryption/faq-pde.yml Normal file
View File

@ -0,0 +1,74 @@
### YamlMime:FAQ
metadata:
title: Frequently asked questions for Personal Data Encryption (PDE)
description: Answers to common questions regarding Personal Data Encryption (PDE).
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.topic: faq
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 09/22/2022
title: Frequently asked questions for Personal Data Encryption (PDE)
summary: |
Here are some answers to common questions regarding Personal Data Encryption (PDE)
sections:
- name: Single section - ignored
questions:
- question: Can PDE encrypt entire volumes or drives?
answer: |
No. PDE only encrypts specified files.
- question: Is PDE a replacement for BitLocker?
answer: |
No. It's still recommended to encrypt all volumes with BitLocker Drive Encryption for increased security.
- question: Can an IT admin specify which files should be encrypted?
answer: |
Yes, but it can only be done using the PDE APIs.
- question: Do I need to use OneDrive as my backup provider?
answer: |
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
- question: What is the relation between Windows Hello for Business and PDE?
answer: |
Windows Hello for Business unlocks PDE encryption keys during user sign on.
- question: Can a file be encrypted with both PDE and EFS at the same time?
answer: |
No. PDE and EFS are mutually exclusive.
- question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
answer: |
No. Accessing PDE encrypted files over RDP isn't currently supported.
- question: Can a PDE encrypted files be access via a network share?
answer: |
No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
- question: How can it be determined if a file is encrypted with PDE?
answer: |
Encrypted files will show a padlock on the file's icon. Additionally, `cipher.exe` can be used to show the encryption state of the file.
- question: Can users manually encrypt and decrypt files with PDE?
answer: |
Currently users can decrypt files manually but they can't encrypt files manually.
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
answer: |
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
- question: What encryption method and strength does PDE use?
answer: |
PDE uses AES-256 to encrypt files
additionalContent: |
## See also
- [Personal Data Encryption (PDE)](overview-pde.md)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

27
windows/security/information-protection/personal-data-encryption/includes/pde-description.md Normal file
View File

@ -0,0 +1,27 @@
---
title: Personal Data Encryption (PDE) description
description: Personal Data Encryption (PDE) description include file
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 09/22/2022
---
<!-- Max 5963468 OS 32516487 -->
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
PDE is also accessibility friendly. For example, The BitLocker PIN entry screen doesn't have accessibility options. PDE however uses Windows Hello for Business, which does have accessibility features.
Unlike BitLocker that releases data encryption keys at boot, PDE doesn't release data encryption keys until a user signs in using Windows Hello for Business. Users will only be able to access their PDE encrypted files once they've signed into Windows using Windows Hello for Business. Additionally, PDE has the ability to also discard the encryption keys when the device is locked.
> [!NOTE]
> PDE is currently only available to developers via [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). There is no user interface in Windows to either enable PDE or encrypt files via PDE. Also, although there is an MDM policy that can enable PDE, there are no MDM policies that can be used to encrypt files via PDE.

142
windows/security/information-protection/personal-data-encryption/overview-pde.md Normal file
View File

@ -0,0 +1,142 @@
---
title: Personal Data Encryption (PDE)
description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.topic: how-to
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
ms.date: 09/22/2022
---
<!-- Max 5963468 OS 32516487 -->
# Personal Data Encryption (PDE)
(*Applies to: Windows 11, version 22H2 and later Enterprise and Education editions*)
[!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)]
## Prerequisites
### **Required**
- [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join)
- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md)
- Windows 11, version 22H2 and later Enterprise and Education editions
### **Not supported with PDE**
- [FIDO/security key authentication](../../identity-protection/hello-for-business/microsoft-compatible-security-key.md)
- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
- For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](configure-pde-in-intune.md#disable-winlogon-automatic-restart-sign-on-arso)).
- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md)
- [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- Remote Desktop connections
### **Highly recommended**
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
- Backup solution such as [OneDrive](/onedrive/onedrive)
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
- Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
- [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
- Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
- Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
## PDE protection levels
PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
| Item | Level 1 | Level 2 |
|---|---|---|
| Data is accessible when user is signed in | Yes | Yes |
| Data is accessible when user has locked their device | Yes | No |
| Data is accessible after user signs out | No | No |
| Data is accessible when device is shut down | No | No |
| Decryption keys discarded | After user signs out | After user locks device or signs out |
## PDE encrypted files accessibility
When a file is encrypted with PDE, its icon will show a padlock. If the user hasn't signed in locally with Windows Hello for Business or an unauthorized user attempts to access a PDE encrypted file, they'll be denied access to the file.
Scenarios where a user will be denied access to a PDE encrypted file include:
- User has signed into Windows via a password instead of signing in with Windows Hello for Business biometric or PIN.
- If specified via level 2 protection, when the device is locked.
- When trying to access files on the device remotely. For example, UNC network paths.
- Remote Desktop sessions.
- Other users on the device who aren't owners of the file, even if they're signed in via Windows Hello for Business and have permissions to navigate to the PDE encrypted files.
## How to enable PDE
To enable PDE on devices, push an MDM policy to the devices with the following parameters:
- Name: **Personal Data Encryption**
- OMA-URI: **./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption**
- Data type: **Integer**
- Value: **1**
There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-csp) available for MDM solutions that support it.
> [!NOTE]
> Enabling the PDE policy on devices only enables the PDE feature. It does not encrypt any files. To encrypt files, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager) to create custom applications and scripts to specify which files to encrypt and at what level to encrypt the files. Additionally, files will not encrypt via the APIs until this policy has been enabled.
For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](configure-pde-in-intune.md#enable-personal-data-encryption-pde).
## Differences between PDE and BitLocker
| Item | PDE | BitLocker |
|--|--|--|
| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
| Encryption keys discarded | At user sign out | At reboot |
| Files encrypted | Individual specified files | Entire volume/drive |
| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
## Differences between PDE and EFS
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
To see if a file is encrypted with PDE or EFS:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. In the **Advanced Attributes** windows, select **Details**
For PDE encrypted files, under **Protection status:** there will be an item listed as **Personal Data Encryption is:** and it will have the attribute of **On**.
For EFS encrypted files, under **Users who can access this file:**, there will be a **Certificate thumbprint** next to the users with access to the file. There will also be a section at the bottom labeled **Recovery certificates for this file as defined by recovery policy:**.
Encryption information including what encryption method is being used can be obtained with the command line `cipher.exe /c` command.
## Disable PDE and decrypt files
Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
In certain scenarios a user may be able to manually decrypt a file using the following steps:
1. Open the properties of the file
2. Under the **General** tab, select **Advanced...**
3. Uncheck the option **Encrypt contents to secure data**
4. Select **OK**, and then **OK** again
> [!Important]
> Once a user selects to manually decrypt a file, they will not be able to manually encrypt the file again.
## Windows out of box applications that support PDE
Certain Windows applications support PDE out of the box. If PDE is enabled on a device, these applications will utilize PDE.
- Mail
- Supports encrypting both email bodies and attachments
## See also
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)

52
windows/security/information-protection/pluton/microsoft-pluton-security-processor.md Normal file
View File

@ -0,0 +1,52 @@
---
title: Microsoft Pluton security processor
description: Learn more about Microsoft Pluton security processor
ms.reviewer:
ms.prod: m365-security
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.localizationpriority: medium
ms.collection:
- M365-security-compliance
ms.topic: conceptual
ms.date: 09/15/2022
appliesto:
- ✅ <b>Windows 11, version 22H2</b>
---
# Microsoft Pluton security processor
Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
Microsoft Pluton is currently available on devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
## What is Microsoft Pluton?
Designed by Microsoft and built by silicon partners, Microsoft Pluton is a secure crypto-processor built into the CPU for security at the core to ensure code integrity and the latest protection with updates delivered by Microsoft through Windows Update. Pluton protects credentials, identities, personal data and encryption keys. Information is significantly harder to be removed even if an attacker has installed malware or has complete physical possession of the PC.
Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module as well as deliver other security functionality beyond what is possible with the TPM 2.0 specification, and allows for additional Pluton firmware and OS features to be delivered over time via Windows Update. For more information, see [Microsoft Pluton as TPM](pluton-as-tpm.md).
Pluton is built on proven technology used in Xbox and Azure Sphere, and provides hardened integrated security capabilities to Windows 11 devices in collaboration with leading silicon partners. For more information, see [Meet the Microsoft Pluton processor The security chip designed for the future of Windows PCs](https://www.microsoft.com/security/blog/2020/11/17/meet-the-microsoft-pluton-processor-the-security-chip-designed-for-the-future-of-windows-pcs/).
## Microsoft Pluton security architecture overview
![Diagram showing the Microsoft Pluton security processor architecture](../images/pluton/pluton-security-architecture.png)
Pluton Security subsystem consists of the following layers:
| | Description |
|--|--|
| **Hardware** | Pluton Security Processor is a secure element tightly integrated into the SoC subsystem. It provides a trusted execution environment while delivering cryptographic services required for protecting sensitive resources and critical items like keys, data, etc. |
| **Firmware** | Microsoft authorized firmware provides required secure features and functionality, and exposes interfaces that operating system software and applications can use to interact with Pluton. The firmware is stored in the flash storage available on the motherboard. When the system boots, the firmware is loaded as a part of Pluton Hardware initialization. During Windows startup, a copy of this firmware (or the latest firmware obtained from Windows Update, if available) is loaded in the operating system. For additional information, see [Firmware load flow](#firmware-load-flow) |
| **Software** | Operating system drivers and applications available to an end user to allow seamless usage of the hardware capabilities provided by the Pluton security subsystem. |
## Firmware load flow
When the system boots, Pluton hardware initialization is performed by loading the Pluton firmware from the Serial Peripheral Interface (SPI) flash storage available on the motherboard. During Windows startup however, the latest version of the Pluton firmware is used by the operating system. If newer firmware is not available, Windows uses the firmware that was loaded during the hardware initialization. The diagram below illustrates this process:
![Diagram showing the Microsoft Pluton Firmware load flow](../images/pluton/pluton-firmware-load.png)
## Related topics
[Microsoft Pluton as TPM](pluton-as-tpm.md)

50
windows/security/information-protection/pluton/pluton-as-tpm.md Normal file
View File

@ -0,0 +1,50 @@
---
title: Microsoft Pluton as Trusted Platform Module (TPM 2.0)
description: Learn more about Microsoft Pluton security processor as Trusted Platform Module (TPM 2.0)
ms.reviewer:
ms.prod: m365-security
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
ms.localizationpriority: medium
ms.collection:
- M365-security-compliance
ms.topic: conceptual
ms.date: 09/15/2022
appliesto:
- ✅ <b>Windows 11, version 22H2</b>
---
# Microsoft Pluton as Trusted Platform Module
Microsoft Pluton is designed to provide the functionality of the Trusted Platform Module (TPM) thereby establishing the silicon root of trust. Microsoft Pluton supports the TPM 2.0 industry standard allowing customers to immediately benefit from the enhanced security in Windows features that rely on TPM including BitLocker, Windows Hello, and Windows Defender System Guard.
As with other TPMs, credentials, encryption keys, and other sensitive information cannot be easily extracted from Pluton even if an attacker has installed malware or has complete physical possession of the device. Storing sensitive data like encryption keys securely within the Pluton processor, which is isolated from the rest of the system, helps ensure that emerging attack techniques such as speculative execution cannot access key material.
Pluton also solves the major security challenge of keeping its own root-of-trust firmware up to date across the entire PC ecosystem, by delivering firmware updates from Windows Update. Today customers receive updates to their security firmware from a variety of different sources, which may make it difficult for them to apply these updates.
To learn more about the TPM related scenarios that benefit from Pluton, see [TPM and Windows Features](/windows/security/information-protection/tpm/tpm-recommendations#tpm-and-windows-features).
## Microsoft Pluton as a security processor alongside discrete TPM
Microsoft Pluton can be used as a TPM, or in conjunction with a TPM. Although Pluton builds security directly into the CPU, device manufacturers may choose to use discrete TPM as the default TPM, while having Pluton available to the system as a security processor for use cases beyond the TPM.
Pluton is integrated within the SoC subsystem, and provides a flexible, updatable platform for running firmware that implements end-to-end security functionality authored, maintained, and updated by Microsoft. We encourage users owning devices that are Pluton capable, to enable Microsoft Pluton as the default TPM.
## Enable Microsoft Pluton as TPM
Devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM.
> [!WARNING]
> If BitLocker is enabled, We recommend disabling BitLocker before changing the TPM configuration to prevent lockouts. After changing TPM configuration, re-enable BitLocker which will then bind the BitLocker keys with the Pluton TPM. Alternatively, save the BitLocker recovery key onto a USB drive.
>
> Windows Hello must be re-configured after switching the TPM. Setup alternate login methods before changing the TPM configuration to prevent any login issues.
> [!TIP]
> On most Lenovo devices, entering the UEFI options requires pressing Enter key at startup followed by pressing F1. In the UEFI Setup menu, select Security option, then on the Security page, select Security Chip option, to see the TPM configuration options. Under the drop-down list for Security Chip selection, select **MSFT Pluton** and click F10 to Save and Exit.
## Related topics
[Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor)

99
windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md Normal file
View File

@ -0,0 +1,99 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: v-mathavale
ms.author: v-mathavale
audience: IT Admin
ms.localizationpriority: medium
ms.date: 06/21/2022
ms.reviewer: paoloma
manager: aaroncz
ms.technology: windows-sec
adobe-target: true
appliesto:
- ✅ <b>Windows 11, version 22H2</b>
---
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
Starting in Windows 11 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account
- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password
- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content
- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information, etc.) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them
- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the M365D Portal. This enables you to view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment
- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, are not enabled.
## Configure Enhanced Phishing Protection for your organization
Enhanced Phishing Protection can be configured via Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service like Microsoft Intune. Follow the instructions below to configure your devices using either GPO or CSP.
#### [✅ **GPO**](#tab/gpo)
Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
|Setting|Description|
|---------|---------|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.<br><br> If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.<br><br> If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password. <br><br>If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it. <br><br> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.<br><br> If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.<br> <br> If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
#### [✅ **CSP**](#tab/csp)
Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](/windows/client-management/mdm/policy-csp-webthreatdefense).
| Setting | OMA-URI | Data type |
|-------------------------|---------------------------------------------------------------------------|-----------|
| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
---
### Recommended settings for your organization
By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it is recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
#### [✅ **GPO**](#tab/gpo)
|Group Policy setting|Recommendation|
|---------|---------|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. It encourages users to change their password.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
#### [✅ **CSP**](#tab/csp)
|MDM setting|Recommendation|
|---------|---------|
|ServiceEnabled|**1**:Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.|
|NotifyMalicious|**1**:Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
|NotifyPasswordReuse|**1**:Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
|NotifyUnsafeApp|**1**:Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
---
## Related articles
- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Threat protection](../index.md)
- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)

610
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -3,313 +3,309 @@
- name: About application control for Windows
href: windows-defender-application-control.md
expanded: true
items:
items:
- name: WDAC and AppLocker Overview
href: wdac-and-applocker-overview.md
items:
- name: WDAC and AppLocker Feature Availability
href: feature-availability.md
- name: Virtualization-based protection of code integrity
href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide
href: windows-defender-application-control-design-guide.md
items:
- name: Plan for WDAC policy lifecycle management
href: plan-windows-defender-application-control-management.md
- name: Design your WDAC policy
items:
- name: Understand WDAC policy design decisions
href: understand-windows-defender-application-control-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
href: select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md
- name: Allow COM object registration
href: allow-com-object-registration-in-windows-defender-application-control-policy.md
- name: Use WDAC with .NET hardening
href: use-windows-defender-application-control-with-dynamic-code-security.md
- name: Manage packaged apps with WDAC
href: manage-packaged-apps-with-windows-defender-application-control.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings
href: understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
href: deploy-multiple-windows-defender-application-control-policies.md
- name: Create your WDAC policy
items:
- name: Example WDAC base policies
href: example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios
href: types-of-devices.md
items:
- name: Create a WDAC policy for lightly managed devices
href: create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices
href: create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices
href: create-initial-default-policy.md
- name: Create a WDAC deny list policy
href: create-wdac-deny-policy.md
- name: Microsoft recommended block rules
href: microsoft-recommended-block-rules.md
- name: Microsoft recommended driver block rules
href: microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
href: wdac-wizard.md
items:
- name: Create a base WDAC policy with the Wizard
href: wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard
href: wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
href: wdac-wizard-editing-policy.md
- name: Merging multiple WDAC policies with the Wizard
href: wdac-wizard-merging-policies.md
- name: WDAC deployment guide
href: windows-defender-application-control-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with group policy
href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md
- name: Merge WDAC policies
href: merge-windows-defender-application-control-policies.md
- name: Enforce WDAC policies
href: enforce-windows-defender-application-control-policies.md
- name: Use code signing to simplify application control for classic Windows applications
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
items:
- name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- name: "Optional: Create a code signing cert for WDAC"
href: create-code-signing-cert-for-windows-defender-application-control.md
- name: Deploy catalog files to support WDAC
href: deploy-catalog-files-to-support-windows-defender-application-control.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- name: Disable WDAC policies
href: disable-windows-defender-application-control-policies.md
- name: LOB Win32 Apps on S Mode
href: LOB-win32-apps-on-s.md
- name: WDAC operational guide
href: windows-defender-application-control-operational-guide.md
items:
- name: Understanding Application Control event tags
href: event-tag-explanations.md
- name: Understanding Application Control event IDs
href: event-id-explanations.md
- name: Query WDAC events with Advanced hunting
href: querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
href: configure-wdac-managed-installer.md
- name: WDAC AppId Tagging guide
href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
- name: WDAC and AppLocker Feature Availability
href: feature-availability.md
- name: Virtualization-based protection of code integrity
href: ../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: WDAC design guide
href: windows-defender-application-control-design-guide.md
items:
- name: Plan for WDAC policy lifecycle management
href: plan-windows-defender-application-control-management.md
- name: Design your WDAC policy
items:
- name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md
- name: Deploying AppId Tagging Policies
href: AppIdTagging/deploy-appid-tagging-policies.md
- name: Testing and Debugging AppId Tagging Policies
href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- name: AppLocker
href: applocker\applocker-overview.md
items:
- name: Administer AppLocker
href: applocker\administer-applocker.md
items:
- name: Maintain AppLocker policies
href: applocker\maintain-applocker-policies.md
- name: Edit an AppLocker policy
href: applocker\edit-an-applocker-policy.md
- name: Test and update an AppLocker policy
href: applocker\test-and-update-an-applocker-policy.md
- name: Deploy AppLocker policies by using the enforce rules setting
href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- name: Use the AppLocker Windows PowerShell cmdlets
href: applocker\use-the-applocker-windows-powershell-cmdlets.md
- name: Use AppLocker and Software Restriction Policies in the same domain
href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
- name: Optimize AppLocker performance
href: applocker\optimize-applocker-performance.md
- name: Monitor app usage with AppLocker
href: applocker\monitor-application-usage-with-applocker.md
- name: Manage packaged apps with AppLocker
href: applocker\manage-packaged-apps-with-applocker.md
- name: Working with AppLocker rules
href: applocker\working-with-applocker-rules.md
items:
- name: Create a rule that uses a file hash condition
href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
- name: Create a rule that uses a path condition
href: applocker\create-a-rule-that-uses-a-path-condition.md
- name: Create a rule that uses a publisher condition
href: applocker\create-a-rule-that-uses-a-publisher-condition.md
- name: Create AppLocker default rules
href: applocker\create-applocker-default-rules.md
- name: Add exceptions for an AppLocker rule
href: applocker\configure-exceptions-for-an-applocker-rule.md
- name: Create a rule for packaged apps
href: applocker\create-a-rule-for-packaged-apps.md
- name: Delete an AppLocker rule
href: applocker\delete-an-applocker-rule.md
- name: Edit AppLocker rules
href: applocker\edit-applocker-rules.md
- name: Enable the DLL rule collection
href: applocker\enable-the-dll-rule-collection.md
- name: Enforce AppLocker rules
href: applocker\enforce-applocker-rules.md
- name: Run the Automatically Generate Rules wizard
href: applocker\run-the-automatically-generate-rules-wizard.md
- name: Working with AppLocker policies
href: applocker\working-with-applocker-policies.md
items:
- name: Configure the Application Identity service
href: applocker\configure-the-application-identity-service.md
- name: Configure an AppLocker policy for audit only
href: applocker\configure-an-applocker-policy-for-audit-only.md
- name: Configure an AppLocker policy for enforce rules
href: applocker\configure-an-applocker-policy-for-enforce-rules.md
- name: Display a custom URL message when users try to run a blocked app
href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- name: Export an AppLocker policy from a GPO
href: applocker\export-an-applocker-policy-from-a-gpo.md
- name: Export an AppLocker policy to an XML file
href: applocker\export-an-applocker-policy-to-an-xml-file.md
- name: Import an AppLocker policy from another computer
href: applocker\import-an-applocker-policy-from-another-computer.md
- name: Import an AppLocker policy into a GPO
href: applocker\import-an-applocker-policy-into-a-gpo.md
- name: Add rules for packaged apps to existing AppLocker rule-set
href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- name: Merge AppLocker policies by using Set-ApplockerPolicy
href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
- name: Merge AppLocker policies manually
href: applocker\merge-applocker-policies-manually.md
- name: Refresh an AppLocker policy
href: applocker\refresh-an-applocker-policy.md
- name: Test an AppLocker policy by using Test-AppLockerPolicy
href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
- name: AppLocker design guide
href: applocker\applocker-policies-design-guide.md
items:
- name: Understand AppLocker policy design decisions
href: applocker\understand-applocker-policy-design-decisions.md
- name: Determine your application control objectives
href: applocker\determine-your-application-control-objectives.md
- name: Create a list of apps deployed to each business group
href: applocker\create-list-of-applications-deployed-to-each-business-group.md
items:
- name: Document your app list
href: applocker\document-your-application-list.md
- name: Select the types of rules to create
href: applocker\select-types-of-rules-to-create.md
items:
- name: Document your AppLocker rules
href: applocker\document-your-applocker-rules.md
- name: Determine the Group Policy structure and rule enforcement
href: applocker\determine-group-policy-structure-and-rule-enforcement.md
items:
- name: Understand AppLocker enforcement settings
href: applocker\understand-applocker-enforcement-settings.md
- name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- name: Document the Group Policy structure and AppLocker rule enforcement
href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
- name: Plan for AppLocker policy management
href: applocker\plan-for-applocker-policy-management.md
- name: AppLocker deployment guide
href: applocker\applocker-policies-deployment-guide.md
items:
- name: Understand the AppLocker policy deployment process
href: applocker\understand-the-applocker-policy-deployment-process.md
- name: Requirements for Deploying AppLocker Policies
href: applocker\requirements-for-deploying-applocker-policies.md
- name: Use Software Restriction Policies and AppLocker policies
href: applocker\using-software-restriction-policies-and-applocker-policies.md
- name: Create Your AppLocker policies
href: applocker\create-your-applocker-policies.md
items:
- name: Create Your AppLocker rules
href: applocker\create-your-applocker-rules.md
- name: Deploy the AppLocker policy into production
href: applocker\deploy-the-applocker-policy-into-production.md
items:
- name: Use a reference device to create and maintain AppLocker policies
href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
items:
- name: Determine which apps are digitally signed on a reference device
href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- name: Configure the AppLocker reference device
href: applocker\configure-the-appLocker-reference-device.md
- name: AppLocker technical reference
href: applocker\applocker-technical-reference.md
items:
- name: What Is AppLocker?
href: applocker\what-is-applocker.md
- name: Requirements to use AppLocker
href: applocker\requirements-to-use-applocker.md
- name: AppLocker policy use scenarios
href: applocker\applocker-policy-use-scenarios.md
- name: How AppLocker works
href: applocker\how-applocker-works-techref.md
items:
- name: Understanding AppLocker rule behavior
href: applocker\understanding-applocker-rule-behavior.md
- name: Understanding AppLocker rule exceptions
href: applocker\understanding-applocker-rule-exceptions.md
- name: Understanding AppLocker rule collections
href: applocker\understanding-applocker-rule-collections.md
- name: Understanding AppLocker allow and deny actions on rules
href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- name: Understanding AppLocker rule condition types
href: applocker\understanding-applocker-rule-condition-types.md
items:
- name: Understanding the publisher rule condition in AppLocker
href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
- name: Understanding the path rule condition in AppLocker
href: applocker\understanding-the-path-rule-condition-in-applocker.md
- name: Understanding the file hash rule condition in AppLocker
href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
- name: Understanding AppLocker default rules
href: applocker\understanding-applocker-default-rules.md
items:
- name: Executable rules in AppLocker
href: applocker\executable-rules-in-applocker.md
- name: Windows Installer rules in AppLocker
href: applocker\windows-installer-rules-in-applocker.md
- name: Script rules in AppLocker
href: applocker\script-rules-in-applocker.md
- name: DLL rules in AppLocker
href: applocker\dll-rules-in-applocker.md
- name: Packaged apps and packaged app installer rules in AppLocker
href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- name: AppLocker architecture and components
href: applocker\applocker-architecture-and-components.md
- name: AppLocker processes and interactions
href: applocker\applocker-processes-and-interactions.md
- name: AppLocker functions
href: applocker\applocker-functions.md
- name: Security considerations for AppLocker
href: applocker\security-considerations-for-applocker.md
- name: Tools to Use with AppLocker
href: applocker\tools-to-use-with-applocker.md
items:
- name: Using Event Viewer with AppLocker
href: applocker\using-event-viewer-with-applocker.md
- name: AppLocker Settings
href: applocker\applocker-settings.md
- name: Windows security
href: /windows/security/
- name: Understand WDAC policy design decisions
href: understand-windows-defender-application-control-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
href: select-types-of-rules-to-create.md
items:
- name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md
- name: Allow reputable apps with Intelligent Security Graph (ISG)
href: use-windows-defender-application-control-with-intelligent-security-graph.md
- name: Allow COM object registration
href: allow-com-object-registration-in-windows-defender-application-control-policy.md
- name: Use WDAC with .NET hardening
href: use-windows-defender-application-control-with-dynamic-code-security.md
- name: Manage packaged apps with WDAC
href: manage-packaged-apps-with-windows-defender-application-control.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
- name: Understand WDAC policy settings
href: understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
href: deploy-multiple-windows-defender-application-control-policies.md
- name: Create your WDAC policy
items:
- name: Example WDAC base policies
href: example-wdac-base-policies.md
- name: Policy creation for common WDAC usage scenarios
href: types-of-devices.md
items:
- name: Create a WDAC policy for lightly managed devices
href: create-wdac-policy-for-lightly-managed-devices.md
- name: Create a WDAC policy for fully managed devices
href: create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices
href: create-initial-default-policy.md
- name: Create a WDAC deny list policy
href: create-wdac-deny-policy.md
- name: Microsoft recommended block rules
href: microsoft-recommended-block-rules.md
- name: Microsoft recommended driver block rules
href: microsoft-recommended-driver-block-rules.md
- name: Use the WDAC Wizard tool
href: wdac-wizard.md
items:
- name: Create a base WDAC policy with the Wizard
href: wdac-wizard-create-base-policy.md
- name: Create a supplemental WDAC policy with the Wizard
href: wdac-wizard-create-supplemental-policy.md
- name: Editing a WDAC policy with the Wizard
href: wdac-wizard-editing-policy.md
- name: Merging multiple WDAC policies with the Wizard
href: wdac-wizard-merging-policies.md
- name: WDAC deployment guide
href: windows-defender-application-control-deployment-guide.md
items:
- name: Deploy WDAC policies with MDM
href: deployment/deploy-windows-defender-application-control-policies-using-intune.md
- name: Deploy WDAC policies with Configuration Manager
href: deployment/deploy-wdac-policies-with-memcm.md
- name: Deploy WDAC policies with script
href: deployment/deploy-wdac-policies-with-script.md
- name: Deploy WDAC policies with group policy
href: deployment/deploy-windows-defender-application-control-policies-using-group-policy.md
- name: Audit WDAC policies
href: audit-windows-defender-application-control-policies.md
- name: Merge WDAC policies
href: merge-windows-defender-application-control-policies.md
- name: Enforce WDAC policies
href: enforce-windows-defender-application-control-policies.md
- name: Use code signing to simplify application control for classic Windows applications
href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
items:
- name: "Optional: Use the WDAC Signing Portal in the Microsoft Store for Business"
href: use-device-guard-signing-portal-in-microsoft-store-for-business.md
- name: "Optional: Create a code signing cert for WDAC"
href: create-code-signing-cert-for-windows-defender-application-control.md
- name: Deploy catalog files to support WDAC
href: deploy-catalog-files-to-support-windows-defender-application-control.md
- name: Use signed policies to protect Windows Defender Application Control against tampering
href: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
- name: Disable WDAC policies
href: disable-windows-defender-application-control-policies.md
- name: LOB Win32 Apps on S Mode
href: LOB-win32-apps-on-s.md
- name: WDAC operational guide
href: windows-defender-application-control-operational-guide.md
items:
- name: Understanding Application Control event tags
href: event-tag-explanations.md
- name: Understanding Application Control event IDs
href: event-id-explanations.md
- name: Query WDAC events with Advanced hunting
href: querying-application-control-events-centrally-using-advanced-hunting.md
- name: Known Issues
href: operations/known-issues.md
- name: Managed installer and ISG technical reference and troubleshooting guide
href: configure-wdac-managed-installer.md
- name: WDAC AppId Tagging guide
href: AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
items:
- name: Creating AppId Tagging Policies
href: AppIdTagging/design-create-appid-tagging-policies.md
- name: Deploying AppId Tagging Policies
href: AppIdTagging/deploy-appid-tagging-policies.md
- name: Testing and Debugging AppId Tagging Policies
href: AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
- name: AppLocker
href: applocker\applocker-overview.md
items:
- name: Administer AppLocker
href: applocker\administer-applocker.md
items:
- name: Maintain AppLocker policies
href: applocker\maintain-applocker-policies.md
- name: Edit an AppLocker policy
href: applocker\edit-an-applocker-policy.md
- name: Test and update an AppLocker policy
href: applocker\test-and-update-an-applocker-policy.md
- name: Deploy AppLocker policies by using the enforce rules setting
href: applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md
- name: Use the AppLocker Windows PowerShell cmdlets
href: applocker\use-the-applocker-windows-powershell-cmdlets.md
- name: Use AppLocker and Software Restriction Policies in the same domain
href: applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md
- name: Optimize AppLocker performance
href: applocker\optimize-applocker-performance.md
- name: Monitor app usage with AppLocker
href: applocker\monitor-application-usage-with-applocker.md
- name: Manage packaged apps with AppLocker
href: applocker\manage-packaged-apps-with-applocker.md
- name: Working with AppLocker rules
href: applocker\working-with-applocker-rules.md
items:
- name: Create a rule that uses a file hash condition
href: applocker\create-a-rule-that-uses-a-file-hash-condition.md
- name: Create a rule that uses a path condition
href: applocker\create-a-rule-that-uses-a-path-condition.md
- name: Create a rule that uses a publisher condition
href: applocker\create-a-rule-that-uses-a-publisher-condition.md
- name: Create AppLocker default rules
href: applocker\create-applocker-default-rules.md
- name: Add exceptions for an AppLocker rule
href: applocker\configure-exceptions-for-an-applocker-rule.md
- name: Create a rule for packaged apps
href: applocker\create-a-rule-for-packaged-apps.md
- name: Delete an AppLocker rule
href: applocker\delete-an-applocker-rule.md
- name: Edit AppLocker rules
href: applocker\edit-applocker-rules.md
- name: Enable the DLL rule collection
href: applocker\enable-the-dll-rule-collection.md
- name: Enforce AppLocker rules
href: applocker\enforce-applocker-rules.md
- name: Run the Automatically Generate Rules wizard
href: applocker\run-the-automatically-generate-rules-wizard.md
- name: Working with AppLocker policies
href: applocker\working-with-applocker-policies.md
items:
- name: Configure the Application Identity service
href: applocker\configure-the-application-identity-service.md
- name: Configure an AppLocker policy for audit only
href: applocker\configure-an-applocker-policy-for-audit-only.md
- name: Configure an AppLocker policy for enforce rules
href: applocker\configure-an-applocker-policy-for-enforce-rules.md
- name: Display a custom URL message when users try to run a blocked app
href: applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
- name: Export an AppLocker policy from a GPO
href: applocker\export-an-applocker-policy-from-a-gpo.md
- name: Export an AppLocker policy to an XML file
href: applocker\export-an-applocker-policy-to-an-xml-file.md
- name: Import an AppLocker policy from another computer
href: applocker\import-an-applocker-policy-from-another-computer.md
- name: Import an AppLocker policy into a GPO
href: applocker\import-an-applocker-policy-into-a-gpo.md
- name: Add rules for packaged apps to existing AppLocker rule-set
href: applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
- name: Merge AppLocker policies by using Set-ApplockerPolicy
href: applocker\merge-applocker-policies-by-using-set-applockerpolicy.md
- name: Merge AppLocker policies manually
href: applocker\merge-applocker-policies-manually.md
- name: Refresh an AppLocker policy
href: applocker\refresh-an-applocker-policy.md
- name: Test an AppLocker policy by using Test-AppLockerPolicy
href: applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md
- name: AppLocker design guide
href: applocker\applocker-policies-design-guide.md
items:
- name: Understand AppLocker policy design decisions
href: applocker\understand-applocker-policy-design-decisions.md
- name: Determine your application control objectives
href: applocker\determine-your-application-control-objectives.md
- name: Create a list of apps deployed to each business group
href: applocker\create-list-of-applications-deployed-to-each-business-group.md
items:
- name: Document your app list
href: applocker\document-your-application-list.md
- name: Select the types of rules to create
href: applocker\select-types-of-rules-to-create.md
items:
- name: Document your AppLocker rules
href: applocker\document-your-applocker-rules.md
- name: Determine the Group Policy structure and rule enforcement
href: applocker\determine-group-policy-structure-and-rule-enforcement.md
items:
- name: Understand AppLocker enforcement settings
href: applocker\understand-applocker-enforcement-settings.md
- name: Understand AppLocker rules and enforcement setting inheritance in Group Policy
href: applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
- name: Document the Group Policy structure and AppLocker rule enforcement
href: applocker\document-group-policy-structure-and-applocker-rule-enforcement.md
- name: Plan for AppLocker policy management
href: applocker\plan-for-applocker-policy-management.md
- name: AppLocker deployment guide
href: applocker\applocker-policies-deployment-guide.md
items:
- name: Understand the AppLocker policy deployment process
href: applocker\understand-the-applocker-policy-deployment-process.md
- name: Requirements for Deploying AppLocker Policies
href: applocker\requirements-for-deploying-applocker-policies.md
- name: Use Software Restriction Policies and AppLocker policies
href: applocker\using-software-restriction-policies-and-applocker-policies.md
- name: Create Your AppLocker policies
href: applocker\create-your-applocker-policies.md
items:
- name: Create Your AppLocker rules
href: applocker\create-your-applocker-rules.md
- name: Deploy the AppLocker policy into production
href: applocker\deploy-the-applocker-policy-into-production.md
items:
- name: Use a reference device to create and maintain AppLocker policies
href: applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md
items:
- name: Determine which apps are digitally signed on a reference device
href: applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md
- name: Configure the AppLocker reference device
href: applocker\configure-the-appLocker-reference-device.md
- name: AppLocker technical reference
href: applocker\applocker-technical-reference.md
items:
- name: What Is AppLocker?
href: applocker\what-is-applocker.md
- name: Requirements to use AppLocker
href: applocker\requirements-to-use-applocker.md
- name: AppLocker policy use scenarios
href: applocker\applocker-policy-use-scenarios.md
- name: How AppLocker works
href: applocker\how-applocker-works-techref.md
items:
- name: Understanding AppLocker rule behavior
href: applocker\understanding-applocker-rule-behavior.md
- name: Understanding AppLocker rule exceptions
href: applocker\understanding-applocker-rule-exceptions.md
- name: Understanding AppLocker rule collections
href: applocker\understanding-applocker-rule-collections.md
- name: Understanding AppLocker allow and deny actions on rules
href: applocker\understanding-applocker-allow-and-deny-actions-on-rules.md
- name: Understanding AppLocker rule condition types
href: applocker\understanding-applocker-rule-condition-types.md
items:
- name: Understanding the publisher rule condition in AppLocker
href: applocker\understanding-the-publisher-rule-condition-in-applocker.md
- name: Understanding the path rule condition in AppLocker
href: applocker\understanding-the-path-rule-condition-in-applocker.md
- name: Understanding the file hash rule condition in AppLocker
href: applocker\understanding-the-file-hash-rule-condition-in-applocker.md
- name: Understanding AppLocker default rules
href: applocker\understanding-applocker-default-rules.md
items:
- name: Executable rules in AppLocker
href: applocker\executable-rules-in-applocker.md
- name: Windows Installer rules in AppLocker
href: applocker\windows-installer-rules-in-applocker.md
- name: Script rules in AppLocker
href: applocker\script-rules-in-applocker.md
- name: DLL rules in AppLocker
href: applocker\dll-rules-in-applocker.md
- name: Packaged apps and packaged app installer rules in AppLocker
href: applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md
- name: AppLocker architecture and components
href: applocker\applocker-architecture-and-components.md
- name: AppLocker processes and interactions
href: applocker\applocker-processes-and-interactions.md
- name: AppLocker functions
href: applocker\applocker-functions.md
- name: Security considerations for AppLocker
href: applocker\security-considerations-for-applocker.md
- name: Tools to Use with AppLocker
href: applocker\tools-to-use-with-applocker.md
items:
- name: Using Event Viewer with AppLocker
href: applocker\using-event-viewer-with-applocker.md
- name: AppLocker Settings
href: applocker\applocker-settings.md

9
windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
View File

@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@ -118,9 +118,6 @@ Alice follows these steps to complete this task:
7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
> [!NOTE]
> In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
```powershell
[xml]$LamnaPolicyXML = Get-Content $LamnaPolicy
$PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId

220
windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
View File

@ -13,9 +13,9 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 11/15/2019
ms.author: vinpa
manager: aaroncz
ms.date: 08/10/2022
ms.technology: windows-sec
---
@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@ -58,82 +58,103 @@ Based on the above, Alice defines the pseudo-rules for the policy:
- WHQL (third-party kernel drivers)
- Windows Store signed apps
2. **"MEMCM works”** rules that include signer and hash rules for Configuration Manager components to properly function.
3. **Allow Managed Installer** (Configuration Manager configured as a managed installer)
4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
5. **Admin-only path rules** for the following locations:
1. **"MEMCM works”** rules that include:
- Signer and hash rules for Configuration Manager components to properly function.
- **Allow Managed Installer** rule to authorize Configuration Manager as a managed installer.
1. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
1. **Signed apps** using a certificate issued by a Windows Trusted Root Program certificate authority
1. **Admin-only path rules** for the following locations:
- C:\Program Files\*
- C:\Program Files (x86)\*
- %windir%\*
## Create a custom base policy using an example WDAC base policy
Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use Configuration Manager to create the initial base policy and then customize it to meet Lamna's needs.
Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. Alice decides to use the example `SmartAppControl.xml` to create the initial base policy and then customize it to meet Lamna's needs.
Alice follows these steps to complete this task:
> [!NOTE]
> If you do not use Configuration Manager or prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the Configuration Manager policy path with your preferred example base policy.
1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
```powershell
$PolicyName= "Lamna_LightlyManagedClients_Audit"
$LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
$MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
```
3. Copy the policy created by Configuration Manager to the desktop:
```powershell
cp $MEMCMPolicy $LamnaPolicy
```
4. Give the new policy a unique ID, descriptive name, and initial version number:
```powershell
Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
```
5. Modify the copied policy to set policy rules:
```powershell
Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
Set-RuleOption -FilePath $LamnaPolicy -Option 6 # Unsigned Policy
Set-RuleOption -FilePath $LamnaPolicy -Option 9 # Advanced Boot Menu
Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
Set-RuleOption -FilePath $LamnaPolicy -Option 14 # ISG
Set-RuleOption -FilePath $LamnaPolicy -Option 16 # No Reboot
Set-RuleOption -FilePath $LamnaPolicy -Option 17 # Allow Supplemental
Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
```
6. Add rules to allow the Windows and Program Files directories:
```powershell
$PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
```
7. If appropriate, add more signer or file rules to further customize the policy for your organization.
8. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
1. On a client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
> [!NOTE]
> In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file.
> If you prefer to use a different [example Windows Defender Application Control base policy](example-wdac-base-policies.md), substitute the example policy path with your preferred base policy in this step.
```powershell
$WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
```
```powershell
$PolicyPath = $env:userprofile+"\Desktop\"
$PolicyName= "Lamna_LightlyManagedClients_Audit"
$LamnaPolicy=Join-Path $PolicyPath "$PolicyName.xml"
$ExamplePolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\SmartAppControl.xml"
```
9. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/), or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
1. Copy the example policy to the desktop:
```powershell
Copy-Item $ExamplePolicy $LamnaPolicy
```
1. Modify the policy to remove unsupported rule:
> [!NOTE]
> `SmartAppControl.xml` is available on Windows 11 version 22H2 and later. This policy includes "Enabled:Conditional Windows Lockdown Policy" rule that is unsupported for enterprise WDAC policies and must be removed. For more information, see [WDAC and Smart App Control](windows-defender-application-control.md#wdac-and-smart-app-control). If you are using an example policy other than `SmartAppControl.xml`, skip this step.
```powershell
[xml]$xml = Get-Content $LamnaPolicy
$ns = New-Object System.Xml.XmlNamespaceManager($xml.NameTable)
$ns.AddNamespace("ns", $xml.DocumentElement.NamespaceURI)
$node = $xml.SelectSingleNode("//ns:Rules/ns:Rule[ns:Option[.='Enabled:Conditional Windows Lockdown Policy']]", $ns)
$node.ParentNode.RemoveChild($node)
$xml.Save($LamnaPolicy)
```
1. Give the new policy a unique ID, descriptive name, and initial version number:
```powershell
Set-CIPolicyIdInfo -FilePath $LamnaPolicy -PolicyName $PolicyName -ResetPolicyID
Set-CIPolicyVersion -FilePath $LamnaPolicy -Version "1.0.0.0"
```
1. [Use Configuration Manager to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to the client device running Windows 10 version 1903 and above, or Windows 11. Merge the Configuration Manager policy with the example policy.
> [!NOTE]
> If you do not use Configuration Manager, skip this step.
```powershell
$MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml"
Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy,$MEMCMPolicy
Set-RuleOption -FilePath $LamnaPolicy -Option 13 # Managed Installer
```
1. Modify the policy to set additional policy rules:
```powershell
Set-RuleOption -FilePath $LamnaPolicy -Option 3 # Audit Mode
Set-RuleOption -FilePath $LamnaPolicy -Option 12 # Enforce Store Apps
Set-RuleOption -FilePath $LamnaPolicy -Option 19 # Dynamic Code Security
```
1. Add rules to allow the Windows and Program Files directories:
```powershell
$PathRules += New-CIPolicyRule -FilePathRule "%windir%\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files\*"
$PathRules += New-CIPolicyRule -FilePathRule "%OSDrive%\Program Files (x86)\*"
Merge-CIPolicy -OutputFilePath $LamnaPolicy -PolicyPaths $LamnaPolicy -Rules $PathRules
```
1. If appropriate, add more signer or file rules to further customize the policy for your organization.
1. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the Windows Defender Application Control policy to a binary format:
```powershell
[xml]$policyXML = Get-Content $LamnaPolicy
$WDACPolicyBin = Join-Path $PolicyPath "$($PolicyName)_$($policyXML.SiPolicy.PolicyID).cip"
ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin
```
1. Upload your base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
@ -141,44 +162,69 @@ At this point, Alice now has an initial policy that is ready to deploy in audit
In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
- **Users with administrative access**<br>
This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
- **Users with administrative access**
This is by far the most impactful security trade-off and allows the device user, or malware running with the user's privileges, to modify or remove the WDAC policy on the device. Additionally, administrators can configure any app to act as a managed installer, which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
Possible mitigations:
Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Use device attestation to detect the configuration state of WDAC at boot time and use that information to condition access to sensitive corporate resources.
- **Unsigned policies**<br>
Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
Possible mitigations:
- **Unsigned policies**
Unsigned policies can be replaced or removed without consequence by any process running as administrator. Unsigned base policies that also enable supplemental policies can have their "circle-of-trust" altered by any unsigned supplemental policy.
Possible mitigations:
- Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
- Limit who can elevate to administrator on the device.
- **Managed installer**<br>
See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Possible mitigations:
- **Managed installer**
See [security considerations with managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md#security-considerations-with-managed-installer)
Possible mitigations:
- Create and deploy signed catalog files as part of the app deployment process in order to remove the requirement for managed installer.
- Limit who can elevate to administrator on the device.
- **Intelligent Security Graph (ISG)**<br>
See [security considerations with the Intelligent Security Graph](/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph#security-considerations-with-the-isg-option)
Possible mitigations:
- **Intelligent Security Graph (ISG)**
See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-isg-option)
Possible mitigations:
- Implement policies requiring that apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
- **Supplemental policies**<br>
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
Possible mitigations:
- **Supplemental policies**
Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
Possible mitigations:
- Use signed WDAC policies that allow authorized signed supplemental policies only.
- Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
- **FilePath rules**<br>
See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
Possible mitigations:
- **FilePath rules**
See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
Possible mitigations:
- Limit who can elevate to administrator on the device.
- Migrate from filepath rules to managed installer or signature-based rules.
- **Signed files**
Although files that are code-signed verify the author's identity and ensures that the code has not been altered by anyone other than the author, it does not guarantee that the signed code is safe.
Possible mitigations:
- Use a reputable antimalware or antivirus software with real-time protection, such as Microsoft Defender, to protect your devices from malicious files, adware, and other threats.
## Up next
- [Create a Windows Defender Application Control policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)

11
windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
View File

@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: jogeurte
ms.author: dansimp
manager: dansimp
ms.date: 11/15/2019
ms.date: 08/05/2022
ms.technology: windows-sec
---
@ -23,9 +23,9 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@ -39,7 +39,8 @@ When you create policies for use with Windows Defender Application Control (WDAC
| **DefaultWindows.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for all [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowMicrosoft.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](/windows/security/threat-protection/device-guard/memory-integrity) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using Windows Defender Application Control. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |
| **Device Guard Signing Service (DGSS) DefaultPolicy.xml** | This example policy is available in audit mode. It includes the rules from DefaultWindows and adds rules to trust apps signed with your organization-specific certificates issued by the DGSS. | [Device Guard Signing Service NuGet Package](https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client) |
| **MEM Configuration Manager** | Customers who use Configuration Manager can deploy a policy with Configuration Manager's built-in WDAC integration, and then use the generated policy XML as an example base policy. | %OSDrive%\Windows\CCM\DeviceGuard on a managed endpoint |
| **SmartAppControl.xml** | This example policy includes rules based on [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) that are well-suited for lightly managed systems. This policy includes a rule that is unsupported for enterprise WDAC policies and must be removed. For more information about using this example policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy)). | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies |

8
windows/security/threat-protection/windows-defender-application-control/index.yml
View File

@ -9,7 +9,7 @@ metadata:
# ms.subservice: Application-Control
# ms.topic: landing-page
# author: Kim Klein
# ms.author: Jordan Geurten
# ms.author: Jordan Geurten
# manager: Jeffrey Sutherland
# ms.update: 04/30/2021
# linkListType: overview | how-to-guide | tutorial | video
@ -21,13 +21,15 @@ landingContent:
linkLists:
- linkListType: overview
links:
- text: What is Application Control?
url: windows-defender-application-control.md
- text: What is Windows Defender Application Control (WDAC)?
url: wdac-and-applocker-overview.md
- text: What is AppLocker?
url: applocker\applocker-overview.md
- text: WDAC and AppLocker feature availability
url: feature-availability.md
# Card
url: feature-availability.md
# Card
- title: Learn about Policy Design
linkLists:
- linkListType: overview

33
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -17,14 +17,14 @@ ms.topic: reference
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control.
Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application allow policies, including Windows Defender Application Control:
@ -82,23 +82,21 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
|---|---|
| `Alex Ionescu` | `@aionescu`|
| `Brock Mammen`| |
| `Casey Smith` | `@subTee` |
| `Casey Smith` | `@subTee` |
| `James Forshaw` | `@tiraniddo` |
| `Jimmy Bayne` | `@bohops` |
| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
| `Lee Christensen` | `@tifkin_` |
| `Matt Graeber` | `@mattifestation` |
| `Matt Nelson` | `@enigma0x3` |
| `Matt Graeber` | `@mattifestation` |
| `Matt Nelson` | `@enigma0x3` |
| `Oddvar Moe` | `@Oddvarmoe` |
| `Philip Tsukerman` | `@PhilipTsukerman` |
| `Vladas Bulavas` | `Kaspersky Lab` |
| `William Easton` | `@Strawgate` |
<br />
> [!Note]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
> [!NOTE]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered.
Certain software applications may allow other code to run by design. Such applications should be blocked by your Windows Defender Application Control policy. In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add *deny* rules to your application control policies for that applications previous, less secure versions.
@ -114,6 +112,10 @@ Microsoft recommends that you block the following Microsoft-signed applications
Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
<br>
<details>
<summary>Expand this section to see the WDAC policy XML</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
@ -900,8 +902,8 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
<FileRuleRef RuleID="ID_DENY_WSLHOST" />
<!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_D_1" />
@ -1519,9 +1521,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
<HvciOptions>0</HvciOptions>
</SiPolicy>
```
<br />
> [!Note]
</details>
> [!NOTE]
> To create a policy that works on both Windows 10, version 1803 and version 1809, you can create two different policies, or merge them into one broader policy.
## More information

152
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -1,6 +1,6 @@
---
title: Microsoft recommended driver block rules (Windows)
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
keywords: security, malware, kernel mode, driver
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@ -20,28 +20,49 @@ manager: dansimp
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
>[!NOTE]
>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
- Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices
The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're quickly patched and rolled out to the ecosystem. The vulnerable driver blocklist is designed to help harden systems against third party-developed drivers across the Windows ecosystem with any of the following attributes:
- Known security vulnerabilities that can be exploited by attackers to elevate privileges in the Windows kernel
- Malicious behaviors (malware) or certificates used to sign malware
- Behaviors that aren't malicious but circumvent the Windows Security Model and can be exploited by attackers to elevate privileges in the Windows kernel
Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
Drivers can be submitted to Microsoft for security analysis at the [Microsoft Security Intelligence Driver Submission page](https://www.microsoft.com/en-us/wdsi/driversubmission). For more information about driver submission, see [Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center
](https://www.microsoft.com/security/blog/2021/12/08/improve-kernel-security-with-the-new-microsoft-vulnerable-and-malicious-driver-reporting-center/). To report an issue or request a change to the vulnerable driver blocklist, including updating a block rule once a driver vulnerability has been patched, visit the [Microsoft Security Intelligence portal](https://www.microsoft.com/wdsi) or submit feedback on this article.
## Microsoft vulnerable driver blocklist
<!-- MAXADO-6286432 -->
Microsoft adds the vulnerable versions of the drivers to our vulnerable driver blocklist, which is automatically enabled on devices when any of the listed conditions are met:
| Condition | Windows 10 or 11 | Windows 11 22H2 or later |
|--|:--:|:--:|
| Device has [Hypervisor-protected code integrity (HVCI)](../device-guard/enable-virtualization-based-protection-of-code-integrity.md) enabled | :heavy_check_mark: | :heavy_check_mark: |
| Device is in [S mode](https://support.microsoft.com/windows/windows-10-and-windows-11-in-s-mode-faq-851057d6-1ee9-b9e5-c30b-93baebeebc85#WindowsVersion=Windows_11) | :heavy_check_mark: | :heavy_check_mark: |
| Device has [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) enabled | :x: | :heavy_check_mark: |
| Clean install of Windows | :x: | :heavy_check_mark: |
> [!NOTE]
> Microsoft vulnerable driver blocklist can also be enabled using [Windows Security](https://support.microsoft.com/windows/device-protection-in-windows-security-afa11526-de57-b1c5-599f-3a4c6a61c5e2), but the option to disable it is grayed out when HVCI or Smart App Control is enabled, or when the device is in S mode. You must disable HVCI or Smart App Control, or switch the device out of S mode, and restart the device before you can disable Microsoft vulnerable driver blocklist.
## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking this list of drivers within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
> [!IMPORTANT]
> Microsoft also recommends enabling Attack Surface Reduction (ASR) rule [**Block abuse of exploited vulnerable signed drivers**](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-abuse-of-exploited-vulnerable-signed-drivers) to prevent an application from writing a vulnerable signed driver to disk. The ASR rule doesn't block a driver already existing on the system from being loaded, however enabling **Microsoft vulnerable driver blocklist** or applying this WDAC policy prevents the existing driver from being loaded.
<br>
<details>
<summary>Expand this section to see the blocklist WDAC policy XML</summary>
```xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
@ -52,7 +73,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Rule>
<Option>Enabled:Unsigned System Integrity Policy</Option>
</Rule>
<Rule>
<Rule>
<Option>Enabled:Audit Mode</Option>
</Rule>
<Rule>
@ -109,7 +130,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Deny ID="ID_DENY_BANDAI_SHA256" FriendlyName="bandai.sys Hash Sha256" Hash="7FD788358585E0B863328475898BB4400ED8D478466D1B7F5CC0252671456CC8" />
<Deny ID="ID_DENY_BANDAI_SHA1_PAGE" FriendlyName="bandai.sys Hash Page Sha1" Hash="EA360A9F23BB7CF67F08B88E6A185A699F0C5410" />
<Deny ID="ID_DENY_BANDAI_SHA256_PAGE" FriendlyName="bandai.sys Hash Page Sha256" Hash="BB83738210650E09307CE869ACA9BFA251024D3C47B1006B94FCE2846313F56E" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha1" Hash="4BFE9E5A5A25B7CDE6C81EBE31ED4ABEB5147FAF" />
<Deny ID="ID_DENY_BS_RCIO64_SHA256" FriendlyName="BS_RCIO64 73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Sha256" Hash="0381632CD236CD94FA9E64CCC958516AC50F9437F99092E231A607B1E6BE6CF8" />
<Deny ID="ID_DENY_BS_RCIO64_SHA1_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha1" Hash="C28B640BECA5E2834D2A373F139869CC309F6631" />
<Deny ID="ID_DENY_BS_RCIO64_SHA256_PAGE" FriendlyName="BS_RCIO64 5651466512138240\73327429c505d8c5fd690a8ec019ed4fd5a726b607cabe71509111c7bfe9fc7e Hash Page Sha256" Hash="9378F7DFF94D9409D38FA1A125C52734D6BAEA90913FC3CEE2659FD36AB0DA29" />
@ -207,9 +228,9 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Deny ID="ID_DENY_DIRECTIO_34" FriendlyName="PassMark DirectIo.sys Hash Page Sha1" Hash="05E20D0274A4FCC5368F25C62174003A555917E7" />
<Deny ID="ID_DENY_DIRECTIO_35" FriendlyName="PassMark DirectIo.sys Hash Page Sha256" Hash="70344F2494D6B7EE4C5716E886D912447CFFE9695D2286814DC3CE0361727BBA" />
<Deny ID="ID_DENY_DIRECTIO_36" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="706686F2A1EF4738A1856D01AB10EB730FC7B327" />
<Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
<Deny ID="ID_DENY_DIRECTIO_37" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B74246C8CB77B0364B7CECE38BFF5F462EEC983C" />
<Deny ID="ID_DENY_DIRECTIO_38" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="B423CA58603513B5D3A9669736D5E13C353FD6F9" />
<Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
<Deny ID="ID_DENY_DIRECTIO_39" FriendlyName="PassMark DirectIo.sys Hash Sha256" Hash="2FB5D7E6DB01C9090BBA92ABF580D38993E02CE9357E08FE1F224A9B18056E5A" />
<Deny ID="ID_DENY_DIRECTIO_3A" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="AE806CA05E141B71664D9C6F20CC2369EF26F996" />
<Deny ID="ID_DENY_DIRECTIO_3B" FriendlyName="PassMark DirectIo.sys Hash Sha1" Hash="D0559503988DAA407FCC11E59079560CB456BB84" />
<Deny ID="ID_DENY_MSIO_SHA1_1" FriendlyName="MsIo.sys Hash Sha1" Hash="0CB0FD5BEA730E4EAAEC1426B0C15376CCAC6D83" />
@ -401,7 +422,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_BSMI" FriendlyName="" FileName="BSMI.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.3" />
<FileAttrib ID="ID_FILEATTRIB_BS_HWMIO64" FriendlyName="" FileName="BS_HWMIO64_W10.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.1806.2200" />
<FileAttrib ID="ID_FILEATTRIB_BS_I2CIO" FriendlyName="" FileName="BS_I2cIo.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.1.0.0" />
<FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
<FileAttrib ID="ID_FILEATTRIB_BS_RCIO" FriendlyName="BS_RCIO.sys FileAttribute" FileName="BS_RCIO64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.0.0.1" />
<FileAttrib ID="ID_FILEATTRIB_NTIOLIB" FriendlyName="" FileName="NTIOLib.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_CPUZ_DRIVER" FriendlyName="" FileName="cpuz.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.4.3" />
<FileAttrib ID="ID_FILEATTRIB_ELBY_DRIVER" FriendlyName="" FileName="ElbyCDIO.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="6.0.3.2" />
@ -412,7 +433,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_LIBNICM_DRIVER" FriendlyName="" FileName="libnicm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_MTCBSV64" FriendlyName="mtcBSv64.sys FileAttribute" FileName="mtcBSv64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="21.2.0.0" />
<FileAttrib ID="ID_FILEATTRIB_NCHGBIOS2X64" FriendlyName="" FileName="NCHGBIOS2x64.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="4.2.4.0" />
<FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NCPL_DRIVER" FriendlyName="" FileName="NCPL.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NICM_DRIVER" FriendlyName="" FileName="NICM.SYS" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_NSCM_DRIVER" FriendlyName="" FileName="nscm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.1.12.0" />
<FileAttrib ID="ID_FILEATTRIB_PHYSMEM" FriendlyName="Physmem.sys FileAttribute" FileName="physmem.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
@ -421,13 +442,13 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttrib ID="ID_FILEATTRIB_RTKIOW8X64_DRIVER" FriendlyName="" FileName="rtkiow8x64.sys" MinimumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_RTKIOW10X64_DRIVER" FriendlyName="" FileName="rtkiow10x64.sys" MinimumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_RWDRV_DRIVER" FriendlyName="" FileName="RwDrv.sys" MinimumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_1" FriendlyName="Agnitum sandbox FileAttribute" FileName="sandbox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_2" FriendlyName="Agnitum SandBox FileAttribute" FileName="SandBox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_1" FriendlyName="Agnitum sandbox FileAttribute" FileName="sandbox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDBOX_2" FriendlyName="Agnitum SandBox FileAttribute" FileName="SandBox.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65535.65535.65535.65535" />
<FileAttrib ID="ID_FILEATTRIB_SANDRA" FriendlyName="" FileName="SANDRA" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
<FileAttrib ID="ID_FILEATTRIB_SANDRA_DRIVER" FriendlyName="" FileName="sandra.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="10.12.0.0" />
<FileAttrib ID="ID_FILEATTRIB_SEGWINDRVX64" FriendlyName="segwindrvx64.sys FileAttribute" FileName="segwindrvx64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="100.0.7.2" />
<FileAttrib ID="ID_FILEATTRIB_TREND_MICRO" FriendlyName="TmComm.sys" FileName="TmComm.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="8.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VBOX" FriendlyName="VBoxDrv.sys FileAttribute" FileName="VBoxDrv.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="3.0.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT" FriendlyName="viragt.sys 32-bit" FileName="viragt.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.80.0.0" />
<FileAttrib ID="ID_FILEATTRIB_VIRAGT64" FriendlyName="viragt64.sys" FileName="viragt64.sys" MinimumFileVersion="0.0.0.0" MaximumFileVersion="1.0.0.11" />
<FileAttrib ID="ID_FILEATTRIB_VMDRV" FriendlyName="vmdrv.sys FileAttribute" FileName="vmdrv.sys" MinimumFileVersion="10.0.10011.16384" />
@ -483,7 +504,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttribRef RuleID="ID_FILEATTRIB_ATSZIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_IQVW64" />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_TREND_MICRO" />
@ -525,7 +546,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertRoot Type="TBS" Value="041750993D7C9E063F02DFE74699598640911AAB" />
<CertPublisher Value="innotek GmbH" />
</Signer>
<Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
<Signer ID="ID_SIGNER_VBOX_ORCALE" Name="VeriSign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<CertPublisher Value="Oracle Corporation" />
<FileAttribRef RuleID="ID_FILEATTRIB_VBOX" />
@ -565,11 +586,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2014" Name="Microsoft Windows Third Party Component CA 2014">
<CertRoot Type="TBS" Value="D8BE9E4D9074088EF818BC6F6FB64955E90378B2754155126FEEBBBD969CF0AE" />
<CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_BS_RCIO" />
<FileAttribRef RuleID="ID_FILEATTRIB_CPUZ_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_LHA" />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_RTKIO_DRIVER" />
@ -579,7 +600,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileAttribRef RuleID="ID_FILEATTRIB_VIRAGT64" />
<FileAttribRef RuleID="ID_FILEATTRIB_VMDRV" />
</Signer>
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2010" Name="Microsoft Third Party Component Windows PCA 2010">
<Signer ID="ID_SIGNER_WINDOWS_3RD_PARTY_2010" Name="Microsoft Third Party Component Windows PCA 2010">
<CertRoot Type="TBS" Value="90C9669670E75989159E6EEF69625EB6AD17CBA6209ED56F5665D55450A05212" />
<CertPublisher Value="Microsoft Windows Hardware Compatibility Publisher" />
<FileAttribRef RuleID="ID_FILEATTRIB_HPPORTIOX64" />
@ -623,7 +644,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertRoot Type="TBS" Value="4843A82ED3B1F2BFBEE9671960E1940C942F688D" />
<CertPublisher Value="Novell, Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_LIBNICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NCPL_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NICM_DRIVER" />
<FileAttribRef RuleID="ID_FILEATTRIB_NSCM_DRIVER" />
</Signer>
@ -702,12 +723,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<CertPublisher Value="Advanced Micro Devices Inc." />
<FileAttribRef RuleID="ID_FILEATTRIB_AMDPP" />
</Signer>
<Signer ID="ID_SIGNER_AGNITUM_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
<Signer ID="ID_SIGNER_AGNITUM_2004" Name="VeriSign Class 3 Code Signing 2004 CA">
<CertRoot Type="TBS" Value="C7FC1727F5B75A6421A1F95C73BBDB23580C48E5" />
<CertPublisher Value="Agnitum Ltd." />
<FileAttribRef RuleID="ID_FILEATTRIB_SANDBOX_2" />
</Signer>
<Signer ID="ID_SIGNER_AGNITUM_2009" Name="VeriSign Class 3 Code Signing 2009-2 CA">
<Signer ID="ID_SIGNER_AGNITUM_2009" Name="VeriSign Class 3 Code Signing 2009-2 CA">
<CertRoot Type="TBS" Value="4CDC38C800761463749C3CBD94A12F32E49877BF" />
<CertPublisher Value="Agnitum Ltd." />
<FileAttribRef RuleID="ID_FILEATTRIB_SANDBOX_1" />
@ -740,19 +761,19 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<Signer ID="ID_SIGNER_JEROMIN_CODY_ERIC" Name="Jeromin Cody Eric">
<CertRoot Type="TBS" Value="dfa6171201b51a2ec174310e8fb9f4c0fde2d365235e589ded0213c5279bea6e" />
</Signer>
<Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
<Signer ID="ID_SIGNER_SAASAME" Name="SaaSaMe Ltd.">
<CertRoot Type="TBS" Value="A86DE66D8198E4272859881476A6F9936034A482" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2007" Name="Leaked 2007 NVIDIA Corporation Verisign Class 3 Code Signing 2004 CA">
<Signer ID="ID_SIGNER_NVIDIA_2007" Name="Leaked 2007 NVIDIA Corporation Verisign Class 3 Code Signing 2004 CA">
<CertRoot Type="TBS" Value="80854F578E2A3B5552EA839BA4F98DDFE94B2381" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<Signer ID="ID_SIGNER_NVIDIA_2011" Name="Leaked 2011 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="15C37DBEBE6FCC77108E3D7AD982676D3D5E77F7" />
</Signer>
<Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<Signer ID="ID_SIGNER_NVIDIA_2015" Name="Leaked 2015 NVIDIA Corporation Verisign Class 3 Code Signing 2010 CA">
<CertRoot Type="TBS" Value="F049A238763D4A90B148AB10A500F96EBF1DC436" />
</Signer>
<Signer ID="ID_SIGNER_HERMETICWIPER_1" Name="DigiCert Assured ID Code Signing CA-1">
<Signer ID="ID_SIGNER_HERMETICWIPER_1" Name="DigiCert Assured ID Code Signing CA-1">
<CertRoot Type="TBS" Value="47F4B9898631773231B32844EC0D49990AC4EB1E" />
<CertPublisher Value="CHENGDU YIWO Tech Development Co., Ltd." />
</Signer>
@ -774,14 +795,14 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DENIED_VULN_MAL_SIGNERS" FriendlyName="Signers of known vulnerable or malicious drivers">
<ProductSigners>
<DeniedSigners>
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2004" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2009" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010" />
<DeniedSigner SignerId="ID_SIGNER_AGNITUM_2010_1" />
<DeniedSigner SignerId="ID_SIGNER_AMDPP" />
<DeniedSigner SignerId="ID_SIGNER_CAPCOM" />
<DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" />
<DeniedSigner SignerId="ID_SIGNER_COMODO_IQVW" />
<DeniedSigner SignerId="ID_SIGNER_CHEAT_ENGINE" />
<DeniedSigner SignerId="ID_SIGNER_COMODO_IQVW" />
<DeniedSigner SignerId="ID_SIGNER_ELBY" />
<DeniedSigner SignerId="ID_SIGNER_ENE" />
<DeniedSigner SignerId="ID_SIGNER_DIGICERT_EV" />
@ -794,37 +815,37 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<DeniedSigner SignerId="ID_SIGNER_GEOTRUST_SRL_2010" />
<DeniedSigner SignerId="ID_SIGNER_GLOBALSIGN_TG_SOFT" />
<DeniedSigner SignerId="ID_SIGNER_HANDAN" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_1" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_2" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_3" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_4" />
<DeniedSigner SignerId="ID_SIGNER_HP" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_1" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_2" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_3" />
<DeniedSigner SignerId="ID_SIGNER_HERMETICWIPER_4" />
<DeniedSigner SignerId="ID_SIGNER_HP" />
<DeniedSigner SignerId="ID_SIGNER_INTEL_IQVW" />
<DeniedSigner SignerId="ID_SIGNER_JEROMIN_CODY_ERIC" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_KERNEL_SHA2" />
<DeniedSigner SignerId="ID_SIGNER_MIMIKATZ_USER" />
<DeniedSigner SignerId="ID_SIGNER_NANJING" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2007" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2007" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2011" />
<DeniedSigner SignerId="ID_SIGNER_NVIDIA_2015" />
<DeniedSigner SignerId="ID_SIGNER_PHYSMEM" />
<DeniedSigner SignerId="ID_SIGNER_REALTEK" />
<DeniedSigner SignerId="ID_SIGNER_RWEVERY" />
<DeniedSigner SignerId="ID_SIGNER_SAASAME" />
<DeniedSigner SignerId="ID_SIGNER_SAASAME" />
<DeniedSigner SignerId="ID_SIGNER_SANDRA" />
<DeniedSigner SignerId="ID_SIGNER_SANDRA_THAWTE" />
<DeniedSigner SignerId="ID_SIGNER_SPEEDFAN" />
<DeniedSigner SignerId="ID_SIGNER_SYMANTEC_CLASS_3" />
<DeniedSigner SignerId="ID_SIGNER_TRUST_ASIA" />
<DeniedSigner SignerId="ID_SIGNER_VBOX" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_ORCALE" />
<DeniedSigner SignerId="ID_SIGNER_VBOX_SUN" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2004_BIOSTAR" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009_BIOSTAR" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009_REALTEK" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2009_REALTEK" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2010" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2010_2" />
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_2010_BIOSTAR" />
@ -884,7 +905,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256_PAGE" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA1_PAGE" />
<FileRuleRef RuleID="ID_DENY_BS_RCIO64_SHA256_PAGE" />
@ -988,17 +1009,17 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileRuleRef RuleID="ID_DENY_DIRECTIO_3A" />
<FileRuleRef RuleID="ID_DENY_DIRECTIO_3B" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_1" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_PAGE_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_PAGE_2" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_3" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_3" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_4" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_4" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_3" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA1_4" />
<FileRuleRef RuleID="ID_DENY_MSIO_SHA256_4" />
<FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1" />
<FileRuleRef RuleID="ID_DENY_PIDDRV_SHA256" />
<FileRuleRef RuleID="ID_DENY_PIDDRV_SHA1_PAGE" />
@ -1166,11 +1187,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
<FileRuleRef RuleID="ID_DENY_PROCESSHACKER"/>
<FileRuleRef RuleID="ID_DENY_AMP"/>
<FileRuleRef RuleID="ID_DENY_ASMMAP"/>
<FileRuleRef RuleID="ID_DENY_ASMMAP_64"/>
<FileRuleRef RuleID="ID_DENY_ASMMAP_64"/>
<FileRuleRef RuleID="ID_DENY_PHYMEMX_64"/>
<FileRuleRef RuleID="ID_DENY_DBK_32"/>
<FileRuleRef RuleID="ID_DENY_DBK_64"/>
</FileRulesRef>
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="">
@ -1198,8 +1219,11 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-
</Settings>
</SiPolicy>
```
<br />
</details>
> [!NOTE]
> The policy listed above contains **Allow All** rules. Microsoft recommends deploying this policy alongside an existing WDAC policy instead of merging it with the existing policy. If you must use a single policy, remove the **Allow All** rules before merging it with the existing policy. For more information, see [Create a WDAC Deny Policy](create-wdac-deny-policy.md#single-policy-considerations).
## More information

28
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -22,9 +22,9 @@ ms.technology: windows-sec
**Applies to:**
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows 10
- Windows 11
- Windows Server 2016 and above
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes).<br/> NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
| **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
| **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsofts Intelligent Security Graph (ISG). | Yes |
| **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft's Intelligent Security Graph (ISG). | Yes |
| **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| No |
| **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot.<br/> NOTE: This option is only supported on Windows 10, version 1709 and above.| No |
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it.<br/> NOTE: This option is only supported on Windows 10, version 1903 and above. | No |
@ -88,12 +88,12 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This level is the most specific level, and requires more effort to maintain the current product versions' hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. FilePath rules only apply to user mode binaries and can't be used to allow kernel mode drivers. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **FilePublisher** | This level combines the "FileName" attribute of the signed file, plus "Publisher" (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. When this level is used, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
@ -105,9 +105,17 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
> When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
>
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
> - The code uses CN for the CertSubject and CertIssuer fields in the policy. You can use the inbox certutil to look at the underlying format to ensure UTF-8 is not being used for the CN. For example, you can use printable string, IA5, or BMP.
> [!NOTE]
> When applicable, minimum and maximum version numbers in a file rule are referenced as MinimumFileVersion and MaximumFileVersion respectively in the policy XML.
>
> - Both MinimumFileVersion and MaximumFileVersion specified: For Allow rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are allowed. For Deny rules, file with version **greater than or equal** to MinimumFileVersion and **less than or equal** to MaximumFileVersion are denied.
> - MinimumFileVersion specified without MaximumFileVersion: For Allow rules, file with version **greater than or equal** to the specified version are allowed to run. For Deny rules, file with version **less than or equal** to the specified version are blocked.
> - MaximumFileVersion specified without MinimumFileVersion: For Allow rules, file with version **less than or equal** to the specified version are allowed to run. For Deny rules, file with version **greater than or equal** to the specified version are blocked.
## Example of file rule levels in use
For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
@ -149,20 +157,20 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file doesn't change when the file is re-signed or timestamped, or the digital signature is removed from the file. With the help of the Authenticode hash, WDAC provides added security and less management overhead so customers don't need to revise the policy hash rules when the digital signature on the file is updated.
The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
The Authenticode/PE image hash can be calculated for digitally signed and unsigned files.
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
During validation, CI will choose which hashes to calculate, depending on how the file is signed. For example, if the file is page-hash signed the entire file wouldn't get paged in to do a full sha256 authenticode, and we would just match using the first page hash.
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesnt result in a different hash than what was in the policy being used by CI.
In the cmdlets, rather than try to predict which hash CI will use, we pre-calculate and use the four hashes (sha1/sha2 authenticode, and sha1/sha2 of first page). This method is also resilient, if the signing status of the file changes and necessary for deny rules to ensure that changing/stripping the signature doesn't result in a different hash than what was in the policy being used by CI.
### Why does scan create eight hash rules for certain XML files?
Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI cant always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
Separate rules are created for UMCI and KMCI. In some cases, files that are purely user-mode or purely kernel-mode may still generate both sets, since CI can't always precisely determine what is purely user vs. kernel mode, and errs on the side of caution.
## Windows Defender Application Control filename rules

19
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -46,15 +46,24 @@ Windows 10 and Windows 11 include two technologies that can be used for applicat
- **Windows Defender Application Control (WDAC)**; and
- **AppLocker**
## In this section
## WDAC and Smart App Control
| Article | Description |
| --- | --- |
| [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) | This article describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
| [WDAC and AppLocker Feature Availability](feature-availability.md) | This article lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
Starting in Windows 11 version 22H2, [Smart App Control](https://support.microsoft.com/topic/what-is-smart-app-control-285ea03d-fa88-4d56-882e-6698afdb7003) provides application control for consumers. Smart App Control is based on WDAC, allowing enterprise customers to create a policy that offers the same security and compatibility with the ability to customize it to run line-of-business (LOB) apps. To make it easier to implement this policy, an [example policy](example-wdac-base-policies.md) is provided. The example policy includes **Enabled:Conditional Windows Lockdown Policy** rule which isn't supported for WDAC enterprise policies. This rule must be removed before you use the example policy. To use this example policy as a starting point for creating your own policy, see [Create a custom base policy using an example WDAC base policy](create-wdac-policy-for-lightly-managed-devices.md#create-a-custom-base-policy-using-an-example-wdac-base-policy).
Smart App Control is only available on clean installation of Windows 11 version 22H2 or later, and starts in evaluation mode. Smart App Control will automatically turn off for enterprise managed devices unless the user has turned it on first. To turn Smart App Control on or off across your organization's endpoints, you can set the **VerifiedAndReputablePolicyState** (DWORD) registry value under `HKLM\SYSTEM\CurrentControlSet\Control\CI\Policy` to one of the values listed below. After you change the registry value, you must either restart the device or run [RefreshPolicy.exe](https://www.microsoft.com/download/details.aspx?id=102925) for the change to take effect.
| Value | Description |
|-------|-------------|
| 0 | Off |
| 1 | Enforce |
| 2 | Evaluation |
> [!IMPORTANT]
> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)

2
windows/whats-new/TOC.yml
View File

@ -11,6 +11,8 @@
href: windows-11-plan.md
- name: Prepare for Windows 11
href: windows-11-prepare.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10
expanded: true
items:

BIN
windows/whats-new/images/windows-11-whats-new/windows-11-22h2-snap-layouts.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.1 KiB

2
windows/whats-new/ltsc/whats-new-windows-10-2019.md
View File

@ -362,7 +362,7 @@ For more information about Update Compliance, see [Monitor Windows Updates with
### Accessibility
"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in [What's new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/).
### Privacy

2
windows/whats-new/whats-new-windows-10-version-1803.md
View File

@ -155,7 +155,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
### Accessibility
"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [Whats new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](/windows/configuration/windows-accessibility-for-itpros). Also see the accessibility section in the [Whats new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post.
### Privacy

120
windows/whats-new/whats-new-windows-11-version-22H2.md Normal file
View File

@ -0,0 +1,120 @@
---
title: What's new in Windows 11, version 22H2 for IT pros
description: Learn more about what's new in Windows 11 version 21H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
manager: dougeby
ms.prod: w10
ms.author: mstewart
author: mestew
ms.localizationpriority: medium
ms.topic: article
ms.collection: highpri
ms.custom: intro-overview
---
# What's new in Windows 11, version 22H2
**Applies to**: Windows 11, version 22H2
<!--6681501-->
Windows 11, version 22H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 21H2, the original Windows 11 release version. This article lists the new and updated features IT Pros should know.
Windows 11, version 22H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
- **Windows 11 Professional**: Serviced for 24 months from the release date.
- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
Windows 11, version 22H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 22H2 update](https://aka.ms/W11/how-to-get-22H2). Review the [Windows 11, version 22H2 Windows IT Pro blog post](https://aka.ms/new-in-22H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
## Microsoft Pluton
<!--6286417 -->
Microsoft Pluton security processor is a chip-to-cloud security technology built with Zero Trust principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem, which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
For more information, see [Microsoft Pluton security processor](/windows/security/information-protection/pluton/microsoft-pluton-security-processor).
## Enhanced Phishing Protection
<!--6286059, 6063796-->
**Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** helps protect Microsoft school or work passwords against phishing and unsafe usage on websites and in applications. Enhanced Phishing Protection works alongside Windows security protections to help protect Windows 11 work or school sign-in passwords.
For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog.
## Smart App Control
<!-- 6286281-->
**Smart App Control** adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. **Smart App Control** also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md#wdac-and-smart-app-control).
## Credential Guard
<!--6289166-->
Compatible Windows 11 Enterprise version 22H2 devices will have **Windows Defender Credential Guard** turned on by default. This changes the default state of the feature in Windows, though system administrators can still modify this enablement state.
For more information, see [Manage Windows Defender Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard-manage).
## Malicious and vulnerable driver blocking
<!--6286432-->
The vulnerable driver blocklist is automatically enabled on devices for the following two new conditions:
- When Smart App Control is enabled
- For clean installs of Windows
For more information, see [recommended block rules](/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules#microsoft-vulnerable-driver-blocklist).
## Security hardening and threat protection
<!--6289245-->
Windows 11, version 22H2 supports additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials.
For more information, see [Configuring Additional LSA Protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json).
## Personal Data Encryption
<!--5963468 -->
Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker.
PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to files. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business.
For more information, see [Personal Data Encryption](/windows/security/information-protection/personal-data-encryption/overview-pde).
## WebAuthn APIs support ECC
<!--6021798-->
Elliptic-curve cryptography (ECC) is now supported by WebAuthn APIs for Windows 11, version 22H2 clients.
For more information, see [WebAuthn APIs for passwordless authentication on Windows](/windows/security/identity-protection/hello-for-business/webauthn-apis).
## Stickers for Windows 11 SE, version 22H2
<!--6286248-->
Starting in Windows 11 SE, version 22H2, **Stickers** is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
For more information, see [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers).
## Education themes
<!--6286248-->
Starting in Windows 11, version 22H2, you can deploy education themes to your devices. The education themes are designed for students using devices in a school. Themes allow the end user to quickly configure the look and feel of the device, with preset wallpaper, accent color, and other settings. Students can choose their own themes, making it feel the device is their own.
For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
## Windows Update notifications
<!--6286260 -->
The following items were added for Windows Update notifications:
- You can now block user notifications for Windows Updates during active hours. This setting is especially useful for educational organizations that want to prevent Windows Update notifications from occurring during class time. For more information, see [Control restart notifications](/windows/deployment/update/waas-restart#control-restart-notifications).
- The organization name now appears in the Windows Update notifications when Windows clients are associated with an Azure Active Directory tenant. For more information, see [Display organization name in Windows Update notifications](/windows/deployment/update/waas-wu-settings#bkmk_display-name).
## Start menu layout
<!--6286095-->
Windows 11, version 22H2 now supports additional CSPs for customizing the start menu layout. These CSPs allow you to hide the app list and disable context menus.
For more information, see [Supported configuration service provider (CSP) policies for Windows 11 Start menu](/windows/configuration/supported-csp-start-menu-layout-windows#existing-windows-csp-policies-that-windows-11-supports).
## Improvements to task manager
<!--6294316-->
- A new command bar was added to each page to give access to common actions
- Task Manager will automatically match the system wide theme configured in **Windows Settings**
- Added an efficiency mode that allows you to limit the resource usage of a process
- Updated the user experience for Task Manager
## Windows accessibility
<!--6294246 -->
Windows 11, version 22H2, includes additional improvements for people with disabilities: system-wide live captions, Focus sessions, voice access, and more natural voices for Narrator. For more information, see [New accessibility features coming to Windows 11](https://blogs.windows.com/windowsexperience/2022/05/10/new-accessibility-features-coming-to-windows-11/) and [How inclusion drives innovation in Windows 11](https://blogs.windows.com/windowsexperience/?p=177554).
For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-10-accessibility-for-itpros).

18
windows/whats-new/windows-11-overview.md
View File

@ -2,12 +2,14 @@
title: Windows 11 overview for administrators
description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
author: aczechowski
ms.author: aaroncz
ms.prod: w10
manager: aaroncz
author: mestew
ms.author: mstewart
ms.prod: windows-client
ms.date: 09/20/2022
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: article
ms.topic: overview
ms.collection: highpri
ms.custom: intro-overview
---
@ -100,6 +102,12 @@ For more information on the security features you can configure, manage, and enf
You can also add Snap Layouts to apps your organization creates. For more information, see [Support snap layouts for desktop apps on Windows 11](/windows/apps/desktop/modernize/apply-snap-layout-menu).
Starting in Windows 11, version 22H2, you can also activate snap layouts by dragging a window to the top of the screen. The feature is available for both mouse and touch.<!-- MAX 6294246, OS 32513582 -->
:::image type="content" source="images/windows-11-whats-new/windows-11-22h2-snap-layouts.png" alt-text="In Windows 11, version 22H2, activate snap layouts by dragging a window to the top of the screen.":::
For more information on the end-user experience, see [Snap your windows](https://support.microsoft.com/windows/snap-your-windows-885a9b1e-a983-a3b1-16cd-c531795e6241).
- **Start menu**: The Start menu includes some apps that are pinned by default. You can customize the Start menu layout by pinning (and unpinning) the apps you want. For example, you can pin commonly used apps in your organization, such as Outlook, Microsoft Teams, apps your organization creates, and more.
Using policy, you can deploy your customized Start menu layout to devices in your organization. For more information, see [Customize the Start menu layout on Windows 11](/windows/configuration/customize-start-menu-layout-windows-11).