diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index deb2888417..f4d8be3a0a 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -30,10 +30,10 @@ If your changes are extensive:
-->
\ No newline at end of file
+- [Microsoft Docs contributor guide](https://learn.microsoft.com/contribute/)
+- [Docs Markdown reference](https://learn.microsoft.com/contribute/markdown-reference)
+- [Microsoft Writing Style Guide](https://learn.microsoft.com/style-guide/welcome/)
+-->
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 811fd84480..e7397c36cc 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,8 +1,6 @@
# Editing Windows IT professional documentation
-Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our docs.
-This page covers the basic steps for editing our technical documentation.
-For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://learn.microsoft.com/contribute/).
+Thank you for your interest in the Windows IT professional documentation! We appreciate your feedback, edits, and additions to our content. This page covers the basic steps for editing our technical documentation. For a more up-to-date and complete contribution guide, see the main [contributor guide overview](https://learn.microsoft.com/contribute/).
## Sign a CLA
@@ -19,7 +17,7 @@ We've tried to make editing an existing, public file as simple as possible.
### To edit a topic
-1. Browse to the [Microsoft Docs](https://learn.microsoft.com/) article that you want to update.
+1. Browse to the [Microsoft Learn](https://learn.microsoft.com/) article that you want to update.
> **Note**
> If you're a Microsoft employee or vendor, before you edit the article, append `review.` to the beginning of the URL. This action lets you use the private repository, **windows-docs-pr**. For more information, see the [internal contributor guide](https://review.learn.microsoft.com/help/get-started/edit-article-in-github?branch=main).
@@ -65,8 +63,7 @@ We've tried to make editing an existing, public file as simple as possible.
## Making more substantial changes
-To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content.
-For info about creating a fork or clone, see [Set up a local Git repository](https://learn.microsoft.com/contribute/get-started-setup-local). The GitHub docs topic, [Fork a Repo](https://docs.github.com/articles/fork-a-repo), is also insightful.
+To make substantial changes to an existing article, add or change images, or contribute a new article, you'll need to create a local clone of the content. For information about creating a fork or clone, see [Set up a local Git repository](https://learn.microsoft.com/contribute/get-started-setup-local). The [Fork a Repo](https://docs.github.com/articles/fork-a-repo) article is also helpful.
Fork the official repo into your personal GitHub account, and then clone the fork down to your local device. Work locally, then push your changes back into your fork. Finally, open a pull request back to the main branch of the official repo.
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 83d51cf7f0..f52e815de7 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -26,6 +26,7 @@
"recommendations": true,
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
+ "ms.topic": "article",
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 2aa19b0474..f524db0125 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -100,7 +100,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Duo from Cisco | 2.25.0 | Win32 | Cisco |
| e-Speaking Voice and Speech recognition | 4.4.0.8 | Win32 | e-speaking |
| eTests | 4.0.25 | Win32 | CASAS |
-| FortiClient | 7.0.1.0083 | Win32 | Fortinet |
+| FortiClient | 7.2.0.4034+ | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
| Ghotit Real Writer & Reader | 10.14.2.3 | Win32 | Ghotit Ltd |
| GoGuardian | 1.4.4 | Win32 | GoGuardian |
diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md
index b61fb4f87e..e0eb4e127d 100644
--- a/windows/application-management/provisioned-apps-windows-client-os.md
+++ b/windows/application-management/provisioned-apps-windows-client-os.md
@@ -44,9 +44,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ✔️ | ✔️ | | | | | |
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809|
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ✔️ | ✔️ | ✔️ | | | | | |
---
@@ -54,9 +54,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -64,9 +64,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | Use Settings App | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | Use Settings App | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -74,9 +74,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -84,9 +84,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -94,19 +94,29 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
+
+- [HEVC Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEVCVideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEVCVideoExtension
+ - Supported versions:
+
+ ---
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️|||||||
+
+ ---
- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
---
@@ -114,9 +124,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -124,9 +134,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -134,9 +144,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -144,9 +154,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -154,9 +164,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -164,9 +174,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -174,9 +184,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ | ✔️ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -184,9 +194,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
---
@@ -194,9 +204,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | | ✔️ | ✔️| | ✔️| | |
+ | Uninstall through UI? | 22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ | --- | --- | --- | --- | --- | --- | --- |--- |
+ |️ | ✔️ | ✔️ | ✔️|️ | ✔️|️️|
---
@@ -204,9 +214,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -214,9 +224,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
---
@@ -224,9 +234,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -234,9 +244,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -244,9 +254,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -254,9 +264,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -264,9 +274,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -274,9 +284,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -284,9 +294,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -294,9 +304,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -304,9 +314,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -314,9 +324,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -324,9 +334,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -334,9 +344,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -344,9 +354,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -354,9 +364,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -364,9 +374,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -374,9 +384,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -386,9 +396,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -396,9 +406,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -406,9 +416,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -416,9 +426,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -426,9 +436,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -436,9 +446,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -446,9 +456,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -456,9 +466,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
@@ -466,8 +476,8 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**.
- Supported versions:
---
- | Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
- | --- | --- | --- | --- | --- | --- |--- |
- | ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
+ | Uninstall through UI? |22H2| 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
+ |---| --- | --- | --- | --- | --- | --- |--- |
+ | ❌ | ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md
index 9f828bd150..d3f9eb80c2 100644
--- a/windows/client-management/manage-corporate-devices.md
+++ b/windows/client-management/manage-corporate-devices.md
@@ -44,3 +44,6 @@ You can use the same management tools to manage all device types running Windows
[Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery)
[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768)
+
+Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/)
+
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 5eb4a605e5..6f50b43ffa 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 02/12/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## Search policies
+## Search policies
-
@@ -75,7 +75,7 @@ manager: aaroncz
-**Search/AllowCloudSearch**
+**Search/AllowCloudSearch**
@@ -105,7 +105,7 @@ Allow Search and Cortana to search cloud sources like OneDrive and SharePoint. T
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCloudSearch*
- GP element: *AllowCloudSearch_Dropdown*
@@ -125,7 +125,7 @@ The following list shows the supported values:
-**Search/AllowCortanaInAAD**
+**Search/AllowCortanaInAAD**
@@ -155,7 +155,7 @@ This policy allows the cortana opt-in page during windows setup out of the box e
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Cloud Search*
- GP name: *AllowCortanaInAAD*
- GP element: *AllowCloudSearch_Dropdown*
@@ -174,7 +174,7 @@ This value is a simple boolean value, default false, that can be set by MDM poli
-**Search/AllowFindMyFiles**
+**Search/AllowFindMyFiles**
@@ -204,7 +204,7 @@ Controls if the user can configure search to Find My Files mode, which searches
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Find My Files*
- GP name: *AllowFindMyFiles*
- GP path: *Computer Configuration/Administrative Templates/Windows Components/Search*
@@ -212,7 +212,7 @@ ADMX Info:
-The following list shows the supported values:
+The following list shows the supported values:
- 1 (Default) - Find My Files feature can be toggled (still off by default), and the settings UI is present.
- 0 - Find My Files feature is turned off completely, and the settings UI is disabled.
@@ -229,7 +229,7 @@ The following list shows the supported values:
-**Search/AllowIndexingEncryptedStoresOrItems**
+**Search/AllowIndexingEncryptedStoresOrItems**
@@ -265,7 +265,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow indexing of encrypted files*
- GP name: *AllowIndexingEncryptedStoresOrItems*
- GP path: *Windows Components/Search*
@@ -284,7 +284,7 @@ The following list shows the supported values:
-**Search/AllowSearchToUseLocation**
+**Search/AllowSearchToUseLocation**
@@ -316,7 +316,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow search and Cortana to use location*
- GP name: *AllowSearchToUseLocation*
- GP path: *Windows Components/Search*
@@ -335,7 +335,7 @@ The following list shows the supported values:
-**Search/AllowSearchHighlights**
+**Search/AllowSearchHighlights**
@@ -364,11 +364,11 @@ The following list shows the supported values:
This policy controls whether search highlights are shown in the search box or in search home.
- If you enable this policy setting, then this setting turns on search highlights in the search box or in the search home.
-- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home.
+- If you disable this policy setting, then this setting turns off search highlights in the search box or in the search home.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow search and highlights*
- GP name: *AllowSearchHighlights*
- GP path: *Windows Components/Search*
@@ -378,15 +378,13 @@ ADMX Info:
The following list shows the supported values in Windows 10:
-- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home.
-
-- Disabled – Disabling this setting turns off search highlights in the taskbar search box and in search home.
+- 1 (default) - Enabling or not configuring this setting turns on search highlights in the taskbar search box and in search home.
+- 0 - Disabling this setting turns off search highlights in the taskbar search box and in search home.
The following list shows the supported values in Windows 11:
-- Not Configured/ Enabled (default) – Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.
-
-- Disabled – Disabling this setting turns off search highlights in the start menu search box and in search home.
+- 1 (default) - Enabling or not configuring this setting turns on search highlights in the start menu search box and in search home.
+- 0 - Disabling this setting turns off search highlights in the start menu search box and in search home.
@@ -394,7 +392,7 @@ The following list shows the supported values in Windows 11:
-**Search/AllowStoringImagesFromVisionSearch**
+**Search/AllowStoringImagesFromVisionSearch**
This policy has been deprecated.
@@ -405,7 +403,7 @@ This policy has been deprecated.
-**Search/AllowUsingDiacritics**
+**Search/AllowUsingDiacritics**
@@ -437,7 +435,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow use of diacritics*
- GP name: *AllowUsingDiacritics*
- GP path: *Windows Components/Search*
@@ -456,7 +454,7 @@ The following list shows the supported values:
-**Search/AllowWindowsIndexer**
+**Search/AllowWindowsIndexer**
@@ -490,7 +488,7 @@ Allow Windows indexer. Supported value type is integer.
-**Search/AlwaysUseAutoLangDetection**
+**Search/AlwaysUseAutoLangDetection**
@@ -522,7 +520,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Always use automatic language detection when indexing content and properties*
- GP name: *AlwaysUseAutoLangDetection*
- GP path: *Windows Components/Search*
@@ -541,7 +539,7 @@ The following list shows the supported values:
-**Search/DisableBackoff**
+**Search/DisableBackoff**
@@ -571,7 +569,7 @@ If enabled, the search indexer backoff feature will be disabled. Indexing will c
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable indexer backoff*
- GP name: *DisableBackoff*
- GP path: *Windows Components/Search*
@@ -590,7 +588,7 @@ The following list shows the supported values:
-**Search/DisableRemovableDriveIndexing**
+**Search/DisableRemovableDriveIndexing**
@@ -624,7 +622,7 @@ If you disable or don't configure this policy setting, locations on removable dr
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not allow locations on removable drives to be added to libraries*
- GP name: *DisableRemovableDriveIndexing*
- GP path: *Windows Components/Search*
@@ -643,7 +641,7 @@ The following list shows the supported values:
-**Search/DisableSearch**
+**Search/DisableSearch**
@@ -674,7 +672,7 @@ It removes the Search button from the Taskbar and the corresponding option in th
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Fully disable Search UI*
- GP name: *DisableSearch*
@@ -694,7 +692,7 @@ The following list shows the supported values:
-**Search/DoNotUseWebResults**
+**Search/DoNotUseWebResults**
@@ -730,7 +728,7 @@ This policy setting allows you to control whether or not Search can perform quer
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Don't search the web or display web results in Search*
- GP name: *DoNotUseWebResults*
- GP path: *Windows Components/Search*
@@ -749,7 +747,7 @@ The following list shows the supported values:
-**Search/PreventIndexingLowDiskSpaceMB**
+**Search/PreventIndexingLowDiskSpaceMB**
@@ -783,7 +781,7 @@ When this policy is disabled or not configured, Windows Desktop Search automatic
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Stop indexing in the event of limited hard drive space*
- GP name: *StopIndexingOnLimitedHardDriveSpace*
- GP path: *Windows Components/Search*
@@ -802,7 +800,7 @@ The following list shows the supported values:
-**Search/PreventRemoteQueries**
+**Search/PreventRemoteQueries**
@@ -832,7 +830,7 @@ If enabled, clients will be unable to query this computer's index remotely. Thus
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent clients from querying the index remotely*
- GP name: *PreventRemoteQueries*
- GP path: *Windows Components/Search*
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index bd8d22ec50..5dc80b41a1 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: alekyaj
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## WebThreatDefense policies
+## WebThreatDefense policies
-
@@ -39,7 +39,7 @@ manager: aaroncz
>In Microsoft Intune, this CSP is under the “Enhanced Phishing Protection” category.
-**WebThreatDefense/EnableService**
+**WebThreatDefense/EnableService**
@@ -48,7 +48,7 @@ manager: aaroncz
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
-|Business|No|Yes|
+|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -66,7 +66,7 @@ manager: aaroncz
-This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
+This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. When in audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
If you enable this policy setting or don’t configure this setting, Enhanced Phishing Protection is enabled in audit mode, and your users are unable to turn it off.
@@ -74,7 +74,7 @@ If you disable this policy setting, Enhanced Phishing Protection is off. When of
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Web Threat Defense*
- GP name: *EnableWebThreatDefenseService*
- GP path: *Windows Security\App & browser control\Reputation-based protection\Phishing protections*
@@ -94,7 +94,7 @@ The following list shows the supported values:
-**WebThreatDefense/NotifyMalicious**
+**WebThreatDefense/NotifyMalicious**
@@ -103,7 +103,7 @@ The following list shows the supported values:
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
-|Business|No|Yes|
+|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -139,7 +139,7 @@ The following list shows the supported values:
-**WebThreatDefense/NotifyPasswordReuse**
+**WebThreatDefense/NotifyPasswordReuse**
@@ -148,7 +148,7 @@ The following list shows the supported values:
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
-|Business|No|Yes|
+|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -185,7 +185,7 @@ The following list shows the supported values:
-**WebThreatDefense/NotifyUnsafeApp**
+**WebThreatDefense/NotifyUnsafeApp**
@@ -194,7 +194,7 @@ The following list shows the supported values:
|Home|No|No|
|Pro|No|No|
|Windows SE|No|Yes|
-|Business|No|Yes|
+|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
@@ -216,13 +216,13 @@ This policy setting determines whether Enhanced Phishing Protection warns your u
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in text editor apps.
-If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps.
+If you disable or don’t configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in text editor apps.
The following list shows the supported values:
- 0: Turns off Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps like OneNote, Word, Notepad, etc.
-- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps.
+- 1: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in text editor apps.
diff --git a/windows/configuration/windows-accessibility-for-ITPros.md b/windows/configuration/windows-accessibility-for-ITPros.md
index 38c0ed6030..cbd0e23756 100644
--- a/windows/configuration/windows-accessibility-for-ITPros.md
+++ b/windows/configuration/windows-accessibility-for-ITPros.md
@@ -63,6 +63,8 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
## Hearing
+- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions.
+
- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
diff --git a/windows/deployment/images/before.png b/windows/deployment/images/before.png
deleted file mode 100644
index 1a50878670..0000000000
Binary files a/windows/deployment/images/before.png and /dev/null differ
diff --git a/windows/deployment/images/sa-mfa1.png b/windows/deployment/images/sa-mfa1.png
deleted file mode 100644
index 045e5a7794..0000000000
Binary files a/windows/deployment/images/sa-mfa1.png and /dev/null differ
diff --git a/windows/deployment/images/sa-mfa2.png b/windows/deployment/images/sa-mfa2.png
deleted file mode 100644
index 1964a7b263..0000000000
Binary files a/windows/deployment/images/sa-mfa2.png and /dev/null differ
diff --git a/windows/deployment/images/sa-mfa3.png b/windows/deployment/images/sa-mfa3.png
deleted file mode 100644
index 8987eac97b..0000000000
Binary files a/windows/deployment/images/sa-mfa3.png and /dev/null differ
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 5da61c2f9a..a7dbbcc6f0 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -95,7 +95,7 @@ landingContent:
url: /microsoftteams/faq-support-remote-workforce
# Card (optional)
- - title: Microsoft Learn
+ - title: Microsoft Learn training
linkLists:
- linkListType: learn
links:
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index cbcb7c8acb..a865459e80 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -106,11 +106,12 @@ A list of all status updates posted in the selected timeframe will be displayed,
- **Where do I find Windows release health?**
After logging into Microsoft 365 admin center, expand the left-hand menu using **…Show All**, select **Health** and you'll see **Windows release health**.
-- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Docs.microsoft.com?**
- No. While the content is similar, you may see more issues and technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you'll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
+
+- **Is the Windows release health content published to Microsoft 365 admin center the same as the content on Windows release health on Microsoft Learn?**
+ No. While the content is similar, you may see more issues and more technical details published to Windows release health on Microsoft 365 admin center to better support the IT admin. For example, you’ll find details to help you diagnose issues in your environment, steps to mitigate issues, and root cause analysis.
- **How often will content be updated?**
- To ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Docs.microsoft.com and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have more details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
+ In an effort to ensure Windows customers have important information as soon as possible, all major known issues will be shared with Windows customers on both Microsoft Learn and the Microsoft 365 admin center. We may also update the details available for Windows release health in the Microsoft 365 admin center when we have additional details on workarounds, root cause, or other information to help you plan for updates and handle issues in your environment.
- **Can I share this content publicly or with other Windows customers?**
Windows release health is provided to you as a licensed Windows customer and isn't to be shared publicly.
diff --git a/windows/deployment/update/update-compliance-v2-help.md b/windows/deployment/update/update-compliance-v2-help.md
index e1fccf14ec..cbdbab10e9 100644
--- a/windows/deployment/update/update-compliance-v2-help.md
+++ b/windows/deployment/update/update-compliance-v2-help.md
@@ -64,9 +64,9 @@ You can open support requests directly from the Azure portal. If the **Help + S
Select the **Feedback** link in the upper right of any article to go to the Feedback section at the bottom. Feedback is integrated with GitHub Issues. For more information about this integration with GitHub Issues, see the [docs platform blog post](/teamblog/a-new-feedback-system-is-coming-to-docs).
-:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section on a docs article.":::
+:::image type="content" source="media/docs-feedback.png" alt-text="Screenshot of the feedback section of a Microsoft Learn page.":::
-To share docs feedback about the current article, select **This page**. A [GitHub account](https://github.com/join) is a prerequisite for providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body, but don't modify the document details section. Then select **Submit new issue** to file a new issue for the target article in the [Windows-ITPro-docs GitHub repository](https://github.com/MicrosoftDocs/windows-itpro-docs/issues).
+To share feedback about the current article, select **This page**. A [GitHub account](https://github.com/join) is a prerequisite for providing documentation feedback. Once you sign in, there's a one-time authorization for the MicrosoftDocs organization. It then opens the GitHub new issue form. Add a descriptive title and detailed feedback in the body, but don't modify the document details section. Then select **Submit new issue** to file a new issue for the target article in the [Windows-ITPro-docs GitHub repository](https://github.com/MicrosoftDocs/windows-itpro-docs/issues).
To see whether there's already feedback for this article, select **View all page feedback**. This action opens a GitHub issue query for this article. By default it displays both open and closed issues. Review any existing feedback before you submit a new issue. If you find a related issue, select the face icon to add a reaction, add a comment to the thread, or **Subscribe** to receive notifications.
@@ -86,7 +86,7 @@ If you create an issue for something not related to documentation, Microsoft wil
- [Product questions (using Microsoft Q&A)](/answers/products/)
- [Support requests](#open-a-microsoft-support-case) for Update Compliance
-To share feedback about the Microsoft Docs platform, see [Microsoft Docs feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
+To share feedback about the Microsoft Learn platform, see [Microsoft Learn feedback](https://aka.ms/sitefeedback). The platform includes all of the wrapper components such as the header, table of contents, and right menu. Also how the articles render in the browser, such as the font, alert boxes, and page anchors.
## Troubleshooting tips
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 87590d77a7..187ec9c7c0 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -1,150 +1,165 @@
---
-title: Configure VDA for Windows 10/11 Subscription Activation
+title: Configure VDA for Windows subscription activation
+description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
ms.reviewer:
manager: dougeby
ms.author: aaroncz
author: aczechowski
-description: Learn how to configure virtual machines (VMs) to enable Windows 10 Subscription Activation in a Windows Virtual Desktop Access (VDA) scenario.
ms.custom: seo-marvel-apr2020
-ms.prod: w10
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.localizationpriority: medium
-ms.topic: article
+ms.topic: how-to
ms.collection: M365-modern-desktop
+ms.date: 09/26/2022
---
-# Configure VDA for Windows 10/11 Subscription Activation
+# Configure VDA for Windows subscription activation
Applies to:
+
- Windows 10
- Windows 11
-This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
+This document describes how to configure virtual machines (VMs) to enable [Windows subscription activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
Deployment instructions are provided for the following scenarios:
+
1. [Active Directory-joined VMs](#active-directory-joined-vms)
2. [Azure Active Directory-joined VMs](#azure-active-directory-joined-vms)
3. [Azure Gallery VMs](#azure-gallery-vms)
## Requirements
-- VMs must be running Windows 10 Pro, version 1703 or later. Windows 11 is "later" in this context.
-- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
- - For more information, see [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
+- VMs must be running a supported version of Windows Pro edition.
+- VMs must be joined to Active Directory or Azure Active Directory (Azure AD).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
## Activation
### Scenario 1
-- The VM is running Windows 10, version 1803 or later (ex: Windows 11).
+- The VM is running a supported version of Windows.
- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH).
- When a user with VDA rights signs in to the VM using their Azure Active Directory credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
+ When a user with VDA rights signs in to the VM using their Azure AD credentials, the VM is automatically stepped-up to Enterprise and activated. There's no need to do Windows Pro activation. This functionality eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
### Scenario 2
-- The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
+- The Hyper-V host and the VM are both running a supported version of Windows.
- [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10/11 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
+ [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure AD account.
### Scenario 3
-- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) partner.
+- The hoster isn't an authorized QMTH partner.
- In this scenario, the underlying Windows 10/11 Pro license must be activated prior to Subscription Activation of Windows 10/11 Enterprise. Activation is accomplished using a Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems).
+ In this scenario, the underlying Windows Pro license must be activated prior to using subscription activation Windows Enterprise. Activation is accomplished using a generic volume license key (GVLK) and a volume license KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
For examples of activation issues, see [Troubleshoot the user experience](./deploy-enterprise-licenses.md#troubleshoot-the-user-experience).
## Active Directory-joined VMs
1. Use the following instructions to prepare the VM for Azure: [Prepare a Windows VHD or VHDX to upload to Azure](/azure/virtual-machines/windows/prepare-for-upload-vhd-image)
-2. (Optional) To disable network level authentication, type the following at an elevated command prompt:
+2. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
- ```
+ ```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
3. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
-4. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
-5. Click **Add**, type **Authenticated users**, and then click **OK** three times.
-6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#steps-to-generalize-a-vhd) and then start the VM again.
-7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 20.
-8. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-9. Open Windows Configuration Designer and click **Provision desktop services**.
-10. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- - Note: You can use a different project name, but this name is also used with dism.exe in a subsequent step.
-11. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
-12. On the Set up network page, choose **Off**.
-13. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
- - Note: This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
-14. On the Add applications page, add applications if desired. This step is optional.
-15. On the Add certificates page, add certificates if desired. This step is optional.
-16. On the Finish page, click **Create**.
-17. In file explorer, double-click the VHD to mount the disk image. Determine the drive letter of the mounted image.
-18. Type the following at an elevated command prompt. Replace the letter **G** with the drive letter of the mounted image, and enter the project name you used if it is different than the one suggested:
+4. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
+5. Select **Add**, type **Authenticated users**, and then select **OK** three times.
+6. Follow the instructions to use sysprep at [Steps to generalize a VHD](/azure/virtual-machines/windows/prepare-for-upload-vhd-image#generalize-a-vhd) and then start the VM again.
+7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps to use Windows Configuration Designer and inject an activation key. Otherwise, skip to step 8.
+ 1. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
+ 1. Open Windows Configuration Designer and select **Provision desktop services**.
+ 1. Under **Name**, type **Desktop AD Enrollment Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
- ```cmd
- Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
- ```
-19. Right-click the mounted image in file explorer and click **Eject**.
-20. See instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#log-in-to-azure) to log in to Azure, get your storage account details, upload the VHD, and create a managed image.
+ > [!NOTE]
+ > You can use a different project name, but this name is also used with dism.exe in a later step.
+
+ 1. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
+ 1. On the Set up network page, choose **Off**.
+ 1. On the Account Management page, choose **Enroll into Active Directory** and then enter the account details.
+
+ > [!NOTE]
+ > This step is different for [Azure AD-joined VMs](#azure-active-directory-joined-vms).
+
+ 1. On the Add applications page, add applications if desired. This step is optional.
+ 1. On the Add certificates page, add certificates if desired. This step is optional.
+ 1. On the Finish page, select **Create**.
+ 1. In file explorer, open the VHD to mount the disk image. Determine the drive letter of the mounted image.
+ 1. Type the following command at an elevated command prompt. Replace the letter `G` with the drive letter of the mounted image, and enter the project name you used if it's different than the one suggested:
+
+ ```cmd
+ Dism.exe /Image=G:\ /Add-ProvisioningPackage /PackagePath: "Desktop AD Enrollment Pro GVLK.ppkg"
+ ```
+
+ 1. Right-click the mounted image in file explorer and select **Eject**.
+
+8. See the instructions at [Upload and create VM from generalized VHD](/azure/virtual-machines/windows/upload-generalized-managed#upload-the-vhd) to sign in to Azure, get your storage account details, upload the VHD, and create a managed image.
## Azure Active Directory-joined VMs
->[!IMPORTANT]
->Azure Active Directory (Azure AD) provisioning packages have a 180 day limit on bulk token usage. You will need to update the provisioning package and re-inject it into the image after 180 days. Existing virtual machines that are Azure AD-joined and deployed will not need to be recreated.
+> [!IMPORTANT]
+> Azure AD provisioning packages have a 180 day limit on bulk token usage. After 180 days, you'll need to update the provisioning package and re-inject it into the image. Existing virtual machines that are Azure AD-joined and deployed won't need to be recreated.
-For Azure AD-joined VMs, follow the same instructions (above) as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
-- In step 9, during setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it is not for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
-- In step 11, during setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in and add the bulk token using your organization's credentials.
-- In step 15, sub-step 2, when entering the PackagePath, use the project name you entered in step 9 (ex: **Desktop Bulk Enrollment Token Pro GVLK.ppkg**)
-- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure).
+For Azure AD-joined VMs, follow the same instructions as for [Active Directory-joined VMs](#active-directory-joined-vms) with the following exceptions:
+
+- During setup with Windows Configuration Designer, under **Name**, type a name for the project that indicates it isn't for Active Directory-joined VMs, such as **Desktop Bulk Enrollment Token Pro GVLK**.
+- During setup with Windows Configuration Designer, on the Account Management page, instead of enrolling in Active Directory, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organization's credentials.
+- When entering the PackagePath, use the project name you previously entered. For example, **Desktop Bulk Enrollment Token Pro GVLK.ppkg**
+- When attempting to access the VM using remote desktop, you'll need to create a custom RDP settings file as described below in [Create custom RDP settings for Azure](#create-custom-rdp-settings-for-azure).
## Azure Gallery VMs
-1. (Optional) To disable network level authentication, type the following at an elevated command prompt:
+1. (Optional) To disable network level authentication, type the following command at an elevated command prompt:
- ```
+ ```cmd
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```
-2. At an elevated command prompt, type **sysdm.cpl** and press ENTER.
-3. On the Remote tab, choose **Allow remote connections to this computer** and then click **Select Users**.
-4. Click **Add**, type **Authenticated users**, and then click **OK** three times.
+2. At an elevated command prompt, type `sysdm.cpl` and press ENTER.
+3. On the Remote tab, choose **Allow remote connections to this computer** and then select **Select Users**.
+4. Select **Add**, type **Authenticated users**, and then select **OK** three times.
5. [Install Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd).
-6. Open Windows Configuration Designer and click **Provision desktop services**.
-7. If you must activate Windows 10 Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
- 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, click **Finish**, and then on the **Set up device** page enter a device name.
- 2. Under **Enter product key** type the Pro GVLK key: **W269N-WFGWX-YVC9B-4J6C9-T83GX**.
-8. Under **Name**, type **Desktop Bulk Enrollment**, click **Finish**, and then on the **Set up device** page enter a device name.
+6. Open Windows Configuration Designer and select **Provision desktop services**.
+7. If you must activate Windows Pro as described for [scenario 3](#scenario-3), complete the following steps. Otherwise, skip to step 8.
+ 1. Under **Name**, type **Desktop Bulk Enrollment Token Pro GVLK**, select **Finish**, and then on the **Set up device** page enter a device name.
+ 2. Under **Enter product key** type the Pro GVLK key: `W269N-WFGWX-YVC9B-4J6C9-T83GX`.
+8. Under **Name**, type **Desktop Bulk Enrollment**, select **Finish**, and then on the **Set up device** page enter a device name.
9. On the Set up network page, choose **Off**.
-10. On the Account Management page, choose **Enroll in Azure AD**, click **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
+10. On the Account Management page, choose **Enroll in Azure AD**, select **Get Bulk Token**, sign in, and add the bulk token using your organizations credentials.
11. On the Add applications page, add applications if desired. This step is optional.
12. On the Add certificates page, add certificates if desired. This step is optional.
-13. On the Finish page, click **Create**.
-14. Copy the .ppkg file to the remote Virtual machine. Double click to initiate the provisioning package install. This will reboot the system.
+13. On the Finish page, select **Create**.
+14. Copy the PPKG file to the remote virtual machine. Open the provisioning package to install it. This process will restart the system.
-- When attempting to access the VM using remote desktop, you will need to create a custom RDP settings file as described [below](#create-custom-rdp-settings-for-azure).
+> [!NOTE]
+> When you try to access the VM using remote desktop, you'll need to [create a custom RDP settings file](#create-custom-rdp-settings-for-azure).
## Create custom RDP settings for Azure
-To create custom RDP settings for Azure:
-
1. Open Remote Desktop Connection and enter the IP address or DNS name for the remote host.
-2. Click **Show Options**, and then under Connection settings click **Save As** and save the RDP file to the location where you will use it.
+2. Select **Show Options**, and then under Connection settings select **Save As**. Save the RDP file to the location where you'll use it.
3. Close the Remote Desktop Connection window and open Notepad.
-4. Drag the RDP file into the Notepad window to edit it.
+4. Open the RDP file in Notepad to edit it.
5. Enter or replace the line that specifies authentication level with the following two lines of text:
```text
enablecredsspsupport:i:0
authentication level:i:2
```
-6. **enablecredsspsupport** and **authentication level** should each appear only once in the file.
-7. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
-## Related topics
+ The values `enablecredsspsupport` and `authentication level` should each appear only once in the file.
-[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
-
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
-
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)
+6. Save your changes, and then use this custom RDP file with your Azure AD credentials to connect to the Azure VM.
+
+## Related articles
+
+[Windows subscription activation](windows-10-subscription-activation.md)
+
+[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
+
+[Whitepaper on licensing the Windows desktop for VDI environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf)
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 67df3547c9..969e44b244 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,8 +1,8 @@
---
-title: Windows 10/11 Subscription Activation
+title: Windows subscription activation
description: In this article, you'll learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
-ms.custom: seo-marvel-apr2020
-ms.prod: w10
+ms.prod: windows-client
+ms.technology: itpro-deploy
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
@@ -12,239 +12,203 @@ ms.collection:
- highpri
search.appverid:
- MET150
-ms.topic: article
+ms.topic: conceptual
ms.date: 07/12/2022
---
-# Windows 10/11 Subscription Activation
+# Windows subscription activation
Applies to:
+
- Windows 10
- Windows 11
-Windows 10 Pro supports the Subscription Activation feature, enabling users to "step-up" from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they're subscribed to Windows 10/11 Enterprise E3 or E5.
+The subscription activation feature enables you to "step-up" from Windows Pro edition to Enterprise or Education editions. You can use this feature if you're subscribed to Windows Enterprise E3 or E5 licenses. Subscription activation also supports step-up from Windows Pro Education edition to Education edition.
-With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
+If you have devices that are licensed for earlier versions of Windows Professional, Microsoft 365 Business Premium provides an upgrade to Windows Pro edition, which is the prerequisite for deploying [Windows Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
-If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs#what-is-windows-10-business).
+The subscription activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and then rebooting client devices.
-The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-premises key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
+This article covers the following information:
-For more information, see the following articles:
-
-- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise.
-- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education.
-- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
+- [Subscription activation](#subscription-activation-for-enterprise): An introduction to subscription activation for Windows Enterprise.
+- [Subscription activation for Education](#subscription-activation-for-education): Information about subscription activation for Windows Education.
+- [Inherited activation](#inherited-activation): Allow virtual machines to inherit activation state from their Windows client host.
- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment.
-- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model.
+- [Requirements](#requirements): Prerequisites to use the Windows subscription activation model.
- [Benefits](#benefits): Advantages of subscription-based licensing.
- [How it works](#how-it-works): A summary of the subscription-based licensing option.
-- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud.
+- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows subscription activation for VMs in the cloud.
-For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md).
+For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
-## Subscription Activation for Windows 10/11 Enterprise
+## Subscription activation for Enterprise
-Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots.
+Windows Enterprise E3 and E5 are available as online services via subscription. You can deploy Windows Enterprise in your organization without keys and reboots.
- If you're running Windows 10, version 1703 or later:
+- Devices with a current Windows Pro edition license can be seamlessly upgraded to Windows Enterprise.
+- Product key-based Windows Enterprise software licenses can be transitioned to Windows Enterprise subscriptions.
-- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively.
-- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions.
-
-Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
+Organizations that have an enterprise agreement can also benefit from the service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure Active Directory (Azure AD) using [Azure AD Connect Sync](/azure/active-directory/hybrid/how-to-connect-sync-whatis).
> [!NOTE]
-> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11.
+> Subscription activation is available for qualifying devices running Windows 10 or Windows 11. You can't use subscription activation to upgrade from Windows 10 to Windows 11.
-## Subscription Activation for Education
+## Subscription activation for Education
-Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section.
+Subscription activation for Education works the same as the Enterprise edition, but in order to use subscription activation for Education, you must have a device running Windows Pro Education and an active subscription plan with an Enterprise license. For more information, see the [requirements](#windows-education-requirements) section.
-## Inherited Activation
+## Inherited activation
-Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host.
+Inherited activation allows Windows virtual machines to inherit activation state from their Windows client host. When a user with a Windows E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10 or Windows 11 host, the VM inherits the activation state from a host machine. This behavior is independent of whether the user signs on with a local account or uses an Azure AD account on a VM.
-When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (Azure AD) account on a VM.
-
-To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V.
+To support inherited activation, both the host computer and the VM must be running a supported version of Windows 10 or Windows 11. The hypervisor platform must also be Windows Hyper-V.
## The evolution of deployment
+> [!TIP]
> The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus).
The following list illustrates how deploying Windows client has evolved with each release:
-- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
-- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a "repair upgrade" because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
-- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-- **Windows 10, version 1607** made a large leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
-- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It's no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
-- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
-- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated.
+- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+
+- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade. This process was considered a "repair upgrade", because the OS version was the same before and after. This upgrade was a lot easier than wipe-and-load, but it was still time-consuming.
+
+- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This process required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+
+- **Windows 10, version 1607** made a large leap forward. You could just change the product key and the edition instantly changed from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can inject a key using slmgr.vbs, which injects the key into WMI. It became trivial to do this process using a command line.
+
+- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for devices that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+
+- **Windows 10, version 1709** added support for Windows 10 subscription activation, similar to the CSP support but for large enterprises. This feature enabled the use of Azure AD for assigning licenses to users. When users sign in to a device that's joined to Active Directory or Azure AD, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+
+- **Windows 10, version 1803** updated Windows 10 subscription activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It was no longer necessary to run a script to activate Windows 10 Pro before activating Enterprise. For virtual machines and hosts running Windows 10, version 1803, [inherited activation](#inherited-activation) was also enabled.
+
+- **Windows 10, version 1903** updated Windows 10 subscription activation to enable step up from Windows 10 Pro Education to Windows 10 Education for devices with a qualifying Windows 10 or Microsoft 365 subscription.
+
+- **Windows 11, version 21H2** updated subscription activation to work on both Windows 10 and Windows 11 devices.
+
+ > [!IMPORTANT]
+ > Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated.
## Requirements
-### Windows 10/11 Enterprise requirements
+### Windows Enterprise requirements
> [!NOTE]
-> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+> The following requirements don't apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only. It supports workgroup, hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure virtual machines](/troubleshoot/azure/virtual-machines/troubleshoot-activation-problems).
> [!IMPORTANT]
-> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants.
+> Currently, subscription activation is only available on commercial tenants. It's currently not available on US GCC, GCC High, or DoD tenants.
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
-- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context.
-- Azure Active Directory (Azure AD) available for identity management.
-- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- A supported version of Windows Pro or Enterprise edition installed on the devices to be upgraded.
+- Azure AD available for identity management.
+- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
-For Microsoft customers that don't have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+For Microsoft customers that don't have EA or MPSA, you can get Windows Enterprise E3/E5 or A3/A5 licenses through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses. For more information about getting Windows Enterprise E3 through your CSP, see [Windows Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
-If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+### Windows Education requirements
-#### Multifactor authentication
-
-An issue has been identified with Hybrid Azure AD-joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device won't successfully upgrade to their Windows Enterprise subscription.
-
-To resolve this issue:
-
-If the device is running Windows 10, version 1809 or later:
-
-- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-
-- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there's a problem. Select the notification and then select **Fix now** to step through the subscription activation process. See the example below:
-
- 
-
- 
-
- 
-
-Organizations that use Azure Active Directory Conditional Access may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy to avoid this issue.
-
-> [!NOTE]
-> The above recommendation also applies to Azure AD joined devices.
-
-### Windows 10/11 Education requirements
-
-- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
-- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
-- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
+- A supported version of Windows Pro Education installed on the devices to be upgraded.
+- A device with a Windows Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
+- The Education tenant must have an active subscription to Microsoft 365 with a Windows Enterprise license, or a Windows Enterprise or Education subscription.
+- Devices must be Azure AD-joined or hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
> [!IMPORTANT]
> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
-
## Benefits
-With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
+With Windows Enterprise or Education editions, your organization can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Education or Enterprise editions to their users. With Windows Enterprise E3/E5 or A3/A5 being available as an online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows features.
+
+To compare Windows 10 editions and review pricing, see the following sites:
- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
-- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing)
+- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing)
You can benefit by moving to Windows as an online service in the following ways:
-- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+- Licenses for Windows Enterprise and Education are checked based on Azure AD credentials. You have a systematic way to assign licenses to end users and groups in your organization.
- User sign-in triggers a silent edition upgrade, with no reboot required.
-- Support for mobile worker/BYOD activation; transition away from on-premises KMS and MAK keys.
+- Support for mobile worker and "bring your own device" (BYOD) activation. This support transitions away from on-premises KMS and MAK keys.
- Compliance support via seat assignment.
-- Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
+- Licenses can be updated to different users dynamically, which allows you to optimize your licensing investment against changing needs.
## How it works
> [!NOTE]
-> The following Windows 10 examples and scenarios also apply to Windows 11.
+> The following examples use Windows 10 Pro to Enterprise edition. The examples also apply to Windows 11, and Education editions.
-The device is Azure Active Directory-joined from **Settings > Accounts > Access work or school**.
+The device is Azure AD-joined from **Settings > Accounts > Access work or school**.
-The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
+You assign Windows 10 Enterprise to a user:
-
+
-When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
-
-Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit doesn't include Long Term Servicing Channel.
-
-The following figures summarize how the Subscription Activation model works:
-
-Before Windows 10, version 1903:
-
-
-After Windows 10, version 1903:
-
+When a licensed user signs in to a device that meets requirements using their Azure AD credentials, Windows steps up from Pro edition to Enterprise. Then all of the Enterprise features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro edition, once the current subscription validity expires.
> [!NOTE]
->
-> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019).
->
-> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019).
+> Devices running a supported version of Windows 10 Pro Education can get Windows 10 Enterprise or Education general availability channel on up to five devices for each user covered by the license. This benefit doesn't include the long term servicing channel.
+
+The following figure summarizes how the subscription activation model works:
+
+
+
+> [!NOTE]
+>
+> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
+>
+> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when you assign a **Windows 10 Enterprise** license from the Microsoft 365 admin center.
### Scenarios
#### Scenario #1
-You're using Windows 10, version 1803 or above, and purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise).
+You're using a supported version of Windows 10. You purchased Windows 10 Enterprise E3 or E5 subscriptions, or you've had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise.
-All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
+All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise. When a subscription activation-enabled user signs in, devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to subscription activated Enterprise edition.
#### Scenario #2
-Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+You're using Azure AD-joined devices or Active Directory-joined devices running a supported version of Windows 10. You configured Azure AD synchronization. You follow the steps in [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md) to get a $0 SKU, and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. You then assign that license to all of your Azure AD users, which can be Active Directory-synced accounts. When that user signs in, the device will automatically change from Windows 10 Pro to Windows 10 Enterprise.
-In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it's simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
+#### Earlier versions of Windows
-If you're running Windows 7, it can be more work. A wipe-and-load approach works, but it's likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This path is supported, and completes the move in one step. This method also works if you're running Windows 8.1 Pro.
+If devices are running Windows 7, more steps are required. A wipe-and-load approach still works, but it can be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise edition. This path is supported, and completes the move in one step. This method also works for devices with Windows 8.1 Pro.
### Licenses
The following policies apply to acquisition and renewal of licenses on devices:
-- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
-- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
-- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user hasn't logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education.
+
+- Devices that have been upgraded will attempt to renew licenses about every 30 days. They must be connected to the internet to successfully acquire or renew a license.
+
+- If a device is disconnected from the internet, until its current subscription expires Windows will revert to Pro or Pro Education. As soon as the device is connected to the internet again, the license will automatically renew.
+
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, on the computer to which a user hasn't logged for the longest time, Windows will revert to Pro or Pro Education.
+
- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/active-directory-licensing-whatis-azure-portal).
+When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](/azure/active-directory/fundamentals/active-directory-licensing-whatis-azure-portal).
### Existing Enterprise deployments
-If you're running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
+If you're running a supported version of Windows 10 or Windows 11, subscription activation will automatically pull the firmware-embedded Windows activation key and activate the underlying Pro license. The license will then step-up to Enterprise using subscription activation. This behavior automatically migrates your devices from KMS or MAK activated Enterprise to subscription activated Enterprise.
-Subscription Activation doesn't remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows.
+Subscription activation doesn't remove the need to activate the underlying OS. This requirement still exists for running a genuine installation of Windows.
> [!CAUTION]
-> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
+> Firmware-embedded Windows activation happens automatically only during Windows Setup out of box experience (OOBE).
-If you're using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
-
-If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt:
-
-```console
-@echo off
-FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
-SET "ProductKey=%%A"
-goto InstallKey
-)
-
-:InstallKey
-IF [%ProductKey%]==[] (
-echo No key present
-) ELSE (
-echo Installing %ProductKey%
-changepk.exe /ProductKey %ProductKey%
-)
-```
-
-Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead:
+If the computer has never been activated with a Pro key, use the following script from an elevated PowerShell console:
```powershell
$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
@@ -252,17 +216,17 @@ $(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if (
### Obtaining an Azure AD license
-Enterprise Agreement/Software Assurance (EA/SA):
+If your organization has an Enterprise Agreement (EA) or Software Assurance (SA):
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea).
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD. Ideally, you assign the licenses to groups using the Azure AD Premium feature for group assignment. For more information, see [Enable subscription activation with an existing EA](./deploy-enterprise-licenses.md#enabling-subscription-activation-with-an-existing-ea).
-- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+- The license administrator can assign seats to Azure AD users with the same process that's used for Microsoft 365 Apps.
- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
-Microsoft Products & Services Agreements (MPSA):
+If your organization has a Microsoft Products & Services Agreement (MPSA):
-- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+- New customers are automatically emailed the details of the service. Take steps to process the instructions.
- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
@@ -270,16 +234,18 @@ Microsoft Products & Services Agreements (MPSA):
### Deploying licenses
-See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
-## Related articles
+## Related sites
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+Connect domain-joined devices to Azure AD for Windows experiences. For more information, see [Plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan)
+
+[Compare Windows editions](https://www.microsoft.com/windows/business/compare-windows-11)
+
+[Windows for business](https://www.microsoft.com/windows/business)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
index ede51bee83..a8ae09138a 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md
@@ -1,6 +1,6 @@
---
title: Device registration overview
-description: This article provides and overview on how to register devices in Autopatch
+description: This article provides an overview on how to register devices in Autopatch
ms.date: 09/07/2022
ms.prod: w11
ms.technology: windows
@@ -44,7 +44,7 @@ See the following detailed workflow diagram. The diagram covers the Windows Auto
| **Step 1: Identify devices** | IT admin identifies devices to be managed by the Windows Autopatch service. |
| **Step 2: Add devices** | IT admin adds devices through direct membership or nests other Azure AD assigned or dynamic groups into the **Windows Autopatch Device Registration** Azure AD assigned group. |
| **Step 3: Discover devices** | The Windows Autopatch Discover Devices function hourly discovers devices previously added by the IT admin into the **Windows Autopatch Device Registration** Azure AD assigned group in **step #2**. The Azure AD device ID is used by Windows Autopatch to query device attributes in both Microsoft Endpoint Manager-Intune and Azure AD when registering devices into its service.- Once devices are discovered from the Azure AD group, the same function gathers additional device attributes and saves it into its memory during the discovery operation. The following device attributes are gathered from Azure AD in this step:
- **AzureADDeviceID**
- **OperatingSystem**
- **DisplayName (Device name)**
- **AccountEnabled**
- **RegistrationDateTime**
- **ApproximateLastSignInDateTime**
- In this same step, the Windows Autopatch discover devices function calls another function, the device prerequisite check function. The device prerequisite check function evaluates software-based device-level prerequisites to comply with Windows Autopatch device readiness requirements prior to registration.
|
-| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the Azure AD device ID has an Intune device ID associated with it.
- **If yes**, it means this device is enrolled into Intune.
- **If not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
|
+| **Step 4: Check prerequisites** | The Windows Autopatch prerequisite function makes an Intune Graph API call to sequentially validate device readiness attributes required for the registration process. For detailed information, see the [Detailed prerequisite check workflow diagram](#detailed-prerequisite-check-workflow-diagram) section. The service checks the following device readiness attributes, and/or prerequisites:- **Serial number, model, and manufacturer.**
- Checks if the serial number already exists in the Windows Autopatch’s managed device database.
- **If the device is Intune-managed or not.**
- Windows Autopatch looks to see **if the Azure AD device ID has an Intune device ID associated with it**.
- If **yes**, it means this device is enrolled into Intune.
- If **not**, it means the device isn't enrolled into Intune, hence it can't be managed by the Windows Autopatch service.
- **If the device is not managed by Intune**, the Windows Autopatch service can't gather device attributes such as operating system version, Intune enrollment date, device name and other attributes. When this happens, the Windows Autopatch service uses the Azure AD device attributes gathered and saved to its memory in **step 3a**.
- Once it has the device attributes gathered from Azure AD in **step 3a**, the device is flagged with the **Prerequisite failed** status, then added to the **Not registered** tab so the IT admin can review the reason(s) the device wasn't registered into Windows Autopatch. The IT admin will remediate these devices. In this case, the IT admin should check why the device wasn’t enrolled into Intune.
- A common reason is when the Azure AD device ID is stale, it doesn’t have an Intune device ID associated with it anymore. To remediate, [clean up any stale Azure AD device records from your tenant](windows-autopatch-register-devices.md#clean-up-dual-state-of-hybrid-azure-ad-joined-and-azure-registered-devices-in-your-azure-ad-tenant).
- **If the device is managed by Intune**, the Windows Autopatch prerequisite check function continues to the next prerequisite check, which evaluates whether the device has checked into Intune in the last 28 days.
- **If the device is a Windows device or not.**
- Windows Autopatch looks to see if the device is a Windows and corporate-owned device.
- **If yes**, it means this device can be registered with the service because it's a Windows corporate-owned device.
- **If not**, it means the device is a non-Windows device, or it's a Windows device but it's a personal device.
- **Windows Autopatch checks the Windows SKU family**. The SKU must be either:
- **Enterprise**
- **Pro**
- **Pro Workstation**
- **If the device meets the operating system requirements**, Windows Autopatch checks whether the device is either:
- **Only managed by Intune.**
- If the device is only managed by Intune, the device is marked as Passed all prerequisites.
- **Co-managed by both Configuration Manager and Intune.**
- If the device is co-managed by both Configuration Manager and Intune, an additional prerequisite check is evaluated to determine if the device satisfies the co-management-enabled workloads required by Windows Autopatch to manage devices in a co-managed state. The required co-management workloads evaluated in this step are:
- **Windows Updates Policies**
- **Device Configuration**
- **Office Click to Run**
- If Windows Autopatch determines that one of these workloads isn’t enabled on the device, the service marks the device as **Prerequisite failed** and moves the device to the **Not registered** tab.
|
| **Step 5: Calculate deployment ring assignment** | Once the device passes all prerequisites described in **step #4**, Windows Autopatch starts its deployment ring assignment calculation. The following logic is used to calculate the Windows Autopatch deployment ring assignment:- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is **First (5%)**, **Fast (15%)**, remaining devices go to the **Broad ring (80%)**.
- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be **First (1%)**, **Fast (9%)**, remaining devices go to the **Broad ring (90%)**.
|
| **Step 6: Assign devices to a deployment ring group** | Once the deployment ring calculation is done, Windows Autopatch assigns devices to one of the following deployment ring groups:- **Modern Workplace Devices-Windows Autopatch-First**
- The Windows Autopatch device registration process doesn’t automatically assign devices to the Test ring represented by the Azure AD group (Modern Workplace Devices-Windows Autopatch-Test). It’s important that you assign devices to the Test ring to validate the update deployments before the updates are deployed to a broader population of devices.
- **Modern Workplace Devices-Windows Autopatch-Fast**
- **Modern Workplace Devices-Windows Autopatch-Broad**
|
| **Step 7: Assign devices to an Azure AD group** | Windows Autopatch also assigns devices to the following Azure AD groups when certain conditions apply:- **Modern Workplace Devices - All**
- This group has all devices managed by Windows Autopatch.
- When registering **Windows 10 devices**, use **Modern Workplace Devices Dynamic - Windows 10**
- This group has all devices managed by Windows Autopatch and that have Windows 10 installed.
- When registering **Windows 11 devices**, use **Modern Workplace Devices Dynamic - Windows 11**
- This group has all devices managed by Windows Autopatch and that have Windows 11 installed.
- When registering **virtual devices**, use **Modern Workplace Devices - Virtual Machine**
- This group has all virtual devices managed by Windows Autopatch.
|
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 0ab881bf82..df7c2b8966 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -71,6 +71,9 @@ sections:
- question: Can I run Autopatch on my Windows 365 Business Workloads?
answer: |
No. Autopatch is only available on enterprise workloads. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#windows-autopatch-on-windows-365-enterprise-workloads).
+ - question: Can you change the policies and configurations created by Windows Autopatch?
+ answer: |
+ No. Don't change, edit, add to, or remove any of the configurations. Doing so might cause unintended configuration conflicts and impact the Windows Autopatch service. For more information about policies and configurations, see [Changes made at tenant enrollment](/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant).
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index d057f242cd..c2527f8e0d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -15,6 +15,7 @@ manager: aaroncz
appliesto:
- ✅ Windows 10
- ✅ Windows 11
+- ✅ Windows Holographic for Business
---
# Windows Hello biometrics in the enterprise
@@ -27,61 +28,71 @@ Windows Hello is the biometric authentication feature that helps strengthen auth
Because we realize your employees are going to want to use this new technology in your enterprise, we've been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
## How does Windows Hello work?
-Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
+
+Windows Hello lets your employees use fingerprint, facial recognition, or iris recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Windows Hello credentials.
The Windows Hello authenticator works to authenticate and allow employees onto your enterprise network. Authentication doesn't roam among devices, isn't shared with a server, and can't easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## Why should I let my employees use Windows Hello?
+
Windows Hello provides many benefits, including:
-- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
+- It helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, it's much more difficult to gain access without the employee's knowledge.
-- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
+- Employees get a simple authentication method (backed up with a PIN) that's always with them, so there's nothing to lose. No more forgetting passwords!
-- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
+- Support for Windows Hello is built into the operating system so you can add additional biometric devices and policies as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic.
## Where is Windows Hello data stored?
+
The biometric data used to support Windows Hello is stored on the local device only. It doesn't roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data from a device, it cannot be converted back into a raw biometric sample that could be recognized by the biometric sensor.
> [!NOTE]
>Each sensor on a device will have its own biometric database file where template data is stored. Each database has a unique, randomly generated key that is encrypted to the system. The template data for the sensor will be encrypted with this per-database key using AES with CBC chaining mode. The hash is SHA256. Some fingerprint sensors have the capability to complete matching on the fingerprint sensor module instead of in the OS. These sensors will store biometric data on the fingerprint module instead of in the database file.
## Has Microsoft set any device requirements for Windows Hello?
+
We've been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
-- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
+- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regard to the security of the biometric algorithm.
-- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
+- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
### Fingerprint sensor requirements
-To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
+
+To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employee's unique fingerprint as an alternative logon option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required).
**Acceptable performance range for small to large size touch sensors**
-- False Accept Rate (FAR): <0.001 – 0.002%
+- False Accept Rate (FAR): <0.001 – 0.002%
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
**Acceptable performance range for swipe sensors**
-- False Accept Rate (FAR): <0.002%
+- False Accept Rate (FAR): <0.002%
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
### Facial recognition sensors
+
To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employee's facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
-- False Accept Rate (FAR): <0.001%
+- False Accept Rate (FAR): <0.001%
-- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
+- False Reject Rate (FRR) without Anti-spoofing or liveness detection: <5%
-- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
+- Effective, real world FRR with Anti-spoofing or liveness detection: <10%
> [!NOTE]
>Windows Hello face authentication does not currently support wearing a mask during enrollment or authentication. Wearing a mask to enroll is a security concern because other users wearing a similar mask may be able to unlock your device. The product group is aware of this behavior and is investigating this topic further. Please remove a mask if you are wearing one when you enroll or unlock with Windows Hello face authentication. If your working environment doesn’t allow you to remove a mask temporarily, please consider unenrolling from face authentication and only using PIN or fingerprint.
+### Iris recognition sensor requirements
+
+To use Iris authentication, you’ll need a [HoloLens 2 device](/hololens/). All HoloLens 2 editions are equipped with the same sensors. Iris is implemented the same way as other Windows Hello technologies and achieves biometrics security FAR of 1/100K.
## Related topics
+
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
@@ -90,12 +101,3 @@ To allow facial recognition, you must have devices with integrated special infra
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 1981ba37e3..6efd13da5a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -14,6 +14,7 @@ localizationpriority: medium
appliesto:
- ✅ Windows 10
- ✅ Windows 11
+- ✅ Windows Holographic for Business
---
# Windows Hello for Business Overview
@@ -46,6 +47,7 @@ As an administrator in an enterprise or educational organization, you can create
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is more reliable and less error-prone. Most existing fingerprint readers work with Windows 10 and Windows 11, whether they're external or integrated into laptops or USB keyboards.
+- **Iris Recognition**. This type of biometric recognition uses cameras to perform scan of your iris. HoloLens 2 is the first Microsoft device to introduce an Iris scanner. These iris scanners are the same across all HoloLens 2 devices.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
index f2d56646e4..6fe565bf48 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md
@@ -1,18 +1,14 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
+ms.prod: windows-client
+ms.technology: itpro-security
author: v-mathavale
ms.author: v-mathavale
-audience: IT Admin
-ms.localizationpriority: medium
-ms.date: 06/21/2022
ms.reviewer: paoloma
manager: aaroncz
-ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.date: 06/21/2022
adobe-target: true
appliesto:
- ✅ Windows 11, version 22H2
@@ -20,22 +16,27 @@ appliesto:
# Enhanced Phishing Protection in Microsoft Defender SmartScreen
-Starting in Windows 11 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
+Starting in Windows 11, version 22H2, Enhanced Phishing Protection in Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
Enhanced Phishing Protection works alongside Windows security protections, and helps protect typed work or school passwords used to sign into Windows 11 in three ways:
-- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account
-- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password
-- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file
+- If users type their work or school password on any Chromium browser, into a site deemed malicious by Microsoft Defender SmartScreen, Enhanced Phishing Protection will alert them. It will also prompt them to change their password so attackers can't gain access to their account.
+
+- Reusing work or school passwords makes it easy for attackers who compromise a user's password to gain access to their other accounts. Enhanced Phishing Protection can warn users if they reuse their work or school Microsoft account password on sites and apps and prompt them to change their password.
+
+- Since it's unsafe to store plaintext passwords in text editors, Enhanced Phishing Protection can warn users if they store their work or school password in Notepad, Word, or any Microsoft 365 Office app, and recommends they delete their password from the file.
## Benefits of Enhanced Phishing Protection in Microsoft Defender SmartScreen
Enhanced Phishing Protection provides robust phishing protections for work or school passwords that are used to sign into Windows 11. The benefits of Enhanced Phishing Protection are:
-- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content
-- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information, etc.) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them
-- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the M365D Portal. This enables you to view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment
-- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, are not enabled.
+- **Anti-phishing support:** Phishing attacks trick users through convincing imitations of safe content or through credential harvesting content hosted inside trusted sites and applications. Enhanced Phishing Protection helps protect users from reported phishing sites by evaluating the URLs a site or app is connecting to, along with other characteristics, to determine if they're known to distribute or host unsafe content.
+
+- **Secure operating system integration:** Enhanced Phishing Protection is integrated directly into the Windows 11 operating system, so it can understand users' password entry context (including process connections, URLs, certificate information) in any browser or app. Because Enhanced Phishing Protection has unparalleled insight into what is happening at the OS level, it can identify when users type their work or school password unsafely. If users do use their work or school password unsafely, the feature empowers users to change their password to minimize chances of their compromised credential being weaponized against them.
+
+- **Unparalleled telemetry shared throughout Microsoft's security suite:** Enhanced Phishing Protection is constantly learning from phishing attacks seen throughout the entire Microsoft security stack. It works alongside other Microsoft security products, to provide a layered approach to password security, especially for organizations early in their password-less authentication journey. If your organization uses Microsoft Defender for Endpoint, you'll be able to see valuable phishing sensors data in the Microsoft 365 Defender Portal. This portal lets you view Enhanced Phishing Protection alerts and reports for unsafe password usage in your environment.
+
+- **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios will show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature will be in audit mode if the other settings, which correspond to notification policies, aren't enabled.
## Configure Enhanced Phishing Protection for your organization
@@ -47,8 +48,8 @@ Enhanced Phishing Protection can be configured using the following Administrativ
|Setting|Description|
|---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send telemetry, or notify users. Additionally, your users are unable to turn it on.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn your users if they type their work or school password into one of the malicious scenarios described above.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they reuse their work or school password.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection won't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
@@ -67,7 +68,7 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP](
### Recommended settings for your organization
-By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends telemetry through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it is recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
+By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen Group Policy and MDM settings.
@@ -76,7 +77,7 @@ To better help you protect your organization, we recommend turning on and using
|Group Policy setting|Recommendation|
|---------|---------|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a login URL with an invalid certificate, or into an application connecting to either a reported phishing site or a login URL with an invalid certificate. It encourages users to change their password.|
+|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
@@ -84,7 +85,7 @@ To better help you protect your organization, we recommend turning on and using
|MDM setting|Recommendation|
|---------|---------|
-|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends telemetry but doesn't show any notifications to your users.|
+|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
@@ -92,8 +93,9 @@ To better help you protect your organization, we recommend turning on and using
---
## Related articles
+
- [Microsoft Defender SmartScreen](microsoft-defender-smartscreen-overview.md)
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Threat protection](../index.md)
- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md)
-- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference)