Date: Thu, 2 Feb 2023 13:51:18 -0600
Subject: [PATCH 17/45] More changes
---
...topatch-windows-feature-update-overview.md | 22 +++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index fb5db5fcd8..99ba4fc377 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -1,7 +1,7 @@
---
title: Windows feature updates
description: This article explains how Windows feature updates are managed in Autopatch
-ms.date: 02/01/2023
+ms.date: 02/02/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@@ -14,10 +14,12 @@ msreviewer: andredm7
# Windows feature updates
-Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation. Windows feature updates:
+Microsoft provides robust mobile device management (MDM) solutions such as Microsoft Intune, Windows Update for Business, Configuration Manager etc. However, the administration of these solutions to keep Windows devices up to date with the latest Windows feature releases rests on your organization’s IT admins. The Windows feature update process is considered one of the most expensive and time consuming tasks for IT since it requires incremental rollout and validation.
-- Keep Windows devices protected against behavioral issues.
-- Provide new features to boost end-user productivity.
+Windows feature updates consist of:
+
+- Keeping Windows devices protected against behavioral issues.
+- Providing new features to boost end-user productivity.
Windows Autopatch makes it easier and less expensive for you to keep your Windows devices up to date so you can focus on running your core businesses while Windows Autopatch runs update management on your behalf.
@@ -86,6 +88,18 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
> [!NOTE]
> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+### Pause statuses
+
+There are two statuses: **Service Paused** and **Customer Paused**.
+
+| Status | Description |
+| ----- | ------ |
+| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
+| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
+
+> [!IMPORTANT]
+> Service pause is only available for [Windows Quality Updates](windows-autopatch-windows-quality-update-overview.md). Windows Autopatch does not pause Windows Feature Updates on behalf of your organization.
+
## Rollback
Windows Autopatch doesn’t support the rollback of Windows Feature updates.
From ddcc4053f952838416d49759c181bde15f847940 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 2 Feb 2023 12:04:06 -0800
Subject: [PATCH 18/45] Update
windows-autopatch-windows-feature-update-overview.md
---
...topatch-windows-feature-update-overview.md | 19 ++++++-------------
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 99ba4fc377..922597bb73 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -73,6 +73,9 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
## Pausing and resuming a release
+> [!IMPORTANT]
+> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
**To pause or resume a feature update:**
1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -85,20 +88,10 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
8. If you're resuming an update, you can select one or more deployment rings.
9. Select **Okay**.
+If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update.
+
> [!NOTE]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-
-### Pause statuses
-
-There are two statuses: **Service Paused** and **Customer Paused**.
-
-| Status | Description |
-| ----- | ------ |
-| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. |
-| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. |
-
-> [!IMPORTANT]
-> Service pause is only available for [Windows Quality Updates](windows-autopatch-windows-quality-update-overview.md). Windows Autopatch does not pause Windows Feature Updates on behalf of your organization.
+> The Service Paused status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
## Rollback
From 2cb041666424d6ed1aa5464f144a820c179fd9b2 Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Thu, 2 Feb 2023 12:13:42 -0800
Subject: [PATCH 19/45] Update
windows-autopatch-windows-feature-update-overview.md
---
.../windows-autopatch-windows-feature-update-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 922597bb73..f1cba8f922 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -74,7 +74,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
## Pausing and resuming a release
> [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices. This happens because Windows Autopatch uses Microsoft Intune as its management solution, and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
**To pause or resume a feature update:**
From 93f2f5c2a0a1398bf9736e622ec0dc360346b26e Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 2 Feb 2023 12:40:38 -0800
Subject: [PATCH 20/45] Updated WQU release mgmt section with similar
instructions as feature updates.
---
...s-autopatch-windows-quality-update-overview.md | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 59cc60bb90..eb56d18767 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -110,7 +110,20 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
-In the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Release management** > in the **Release schedule** tab, you can pause or resume a Windows quality update.
+> [!IMPORTANT]
+> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+
+**To pause or resume a quality update:**
+
+1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Select **Devices** from the left navigation menu.
+1. Under the **Windows Autopatch** section, select **Release management**.
+1. In the **Release management** blade, select either: **Pause** or **Resume**.
+1. Select the update type you would like to pause or resume.
+1. Select a reason from the dropdown menu.
+1. Optional. Enter details about why you're pausing or resuming the selected update.
+1. If you're resuming an update, you can select one or more deployment rings.
+1. Select **Okay**.
There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
From c688efc7542d1c598e684bca5d63d89e80b1f28c Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 2 Feb 2023 12:45:22 -0800
Subject: [PATCH 21/45] Tweak
---
...-autopatch-windows-quality-update-overview.md | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index eb56d18767..4d4570df39 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -116,14 +116,14 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
**To pause or resume a quality update:**
1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. Select **Devices** from the left navigation menu.
-1. Under the **Windows Autopatch** section, select **Release management**.
-1. In the **Release management** blade, select either: **Pause** or **Resume**.
-1. Select the update type you would like to pause or resume.
-1. Select a reason from the dropdown menu.
-1. Optional. Enter details about why you're pausing or resuming the selected update.
-1. If you're resuming an update, you can select one or more deployment rings.
-1. Select **Okay**.
+2. Select **Devices** from the left navigation menu.
+3. Under the **Windows Autopatch** section, select **Release management**.
+4. In the **Release management** blade, select either: **Pause** or **Resume**.
+5. Select the update type you would like to pause or resume.
+6. Select a reason from the dropdown menu.
+7. Optional. Enter details about why you're pausing or resuming the selected update.
+8. If you're resuming an update, you can select one or more deployment rings.
+9. Select **Okay**.
There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**.
From a688e3437ee0aa5725f845f14bdc735dd06f8264 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 2 Feb 2023 14:24:14 -0700
Subject: [PATCH 22/45] Update using-event-viewer-with-applocker.md
Line 58: Remove extra spaces.
---
.../using-event-viewer-with-applocker.md | 39 +++++++++----------
1 file changed, 19 insertions(+), 20 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index ed7b6721dc..d10ebcfc03 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -30,16 +30,16 @@ ms.date: 02/02/2023
This article lists AppLocker events and describes how to use Event Viewer with AppLocker.
-The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains detailed info about:
+The AppLocker log contains information about applications that are affected by AppLocker rules. Each event in the log contains details such as the following information:
-- Which file is affected and the path of that file
-- Which packaged app is affected and the package identifier of the app
-- Whether the file or packaged app is allowed or blocked
-- The rule type (path, file hash, or publisher)
-- The rule name
-- The security identifier (SID) for the user or group identified in the rule
+- Which file is affected and the path of that file
+- Which packaged app is affected and the package identifier of the app
+- Whether the file or packaged app is allowed or blocked
+- The rule type (path, file hash, or publisher)
+- The rule name
+- The security identifier (SID) for the user or group identified in the rule
-Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%).
+Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example, `%SystemDrive%`).
For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md).
@@ -48,24 +48,24 @@ For info about what to look for in the AppLocker event logs, see [Monitor app us
**To review the AppLocker log in Event Viewer**
-1. Open Event Viewer.
-2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
+1. Open Event Viewer.
+2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, select **AppLocker**.
The following table contains information about the events that you can use to determine which apps are affected by AppLocker rules.
| Event ID | Level | Event message | Description |
-| - | - | - | - |
-| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
+| --- | --- | --- | --- |
+| 8000 | Error| Application Identity Policy conversion failed. Status *<%1>*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
-| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
-| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
-| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.|
-| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
-| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
-| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.|
+| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
+| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.|
+| 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.|
+| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. |
+| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.|
| 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.|
| 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.|
-| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
+| 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.|
| 8022| Information| Packaged app disabled.| Added in Windows Server 2012 and Windows 8.|
| 8023 | Information| Packaged app installation allowed.| Added in Windows Server 2012 and Windows 8.|
| 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.|
@@ -90,4 +90,3 @@ The following table contains information about the events that you can use to de
- [Tools to use with AppLocker](tools-to-use-with-applocker.md)
-
From bb17ce2c681b089b05ae0fb631ba673c1841af8b Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 2 Feb 2023 14:26:49 -0700
Subject: [PATCH 23/45] Update
windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
Line 41: Correct the placement of a period.
---
.../design/script-enforcement.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
index 29174ef291..d8598308cd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/design/script-enforcement.md
@@ -38,7 +38,7 @@ Validation for signed scripts is done using the [WinVerifyTrust API](/windows/wi
WDAC shares the *AppLocker - MSI and Script* event log for all script enforcement events. Whenever a script host asks WDAC if a script should be allowed, an event will be logged with the answer WDAC returned to the script host. For more information on WDAC script enforcement events, see [Understanding Application Control events](/windows/security/threat-protection/windows-defender-application-control/event-id-explanations#windows-applocker-msi-and-script-log).
> [!NOTE]
-> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked". However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
+> When a script runs that is not allowed by policy, WDAC raises an event indicating that the script was "blocked." However, the actual script enforcement behavior is handled by the script host and may not actually completely block the file from running.
>
> Also be aware that some script hosts may change how they behave even if a WDAC policy is in audit mode only. You should review the information below for each script host and test thoroughly within your environment to ensure the scripts you need to run are working properly.
From 78db741ab05034a92db5a5e0b624c6b51bc56d61 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Thu, 2 Feb 2023 14:29:57 -0700
Subject: [PATCH 24/45] Update
windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
Line 58: Replace extra spaces.
---
.../applocker/using-event-viewer-with-applocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
index d10ebcfc03..00a6cb48d3 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
@@ -55,7 +55,7 @@ The following table contains information about the events that you can use to de
| Event ID | Level | Event message | Description |
| --- | --- | --- | --- |
-| 8000 | Error| Application Identity Policy conversion failed. Status *<%1>*| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
+| 8000 | Error| Application Identity Policy conversion failed. Status * <%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.|
| 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.|
| 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.|
| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. |
From ac76087c4ce36c585371c5fcf6e3bebf7f6c7274 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 2 Feb 2023 13:43:28 -0800
Subject: [PATCH 25/45] Tweak
---
.../windows-autopatch-windows-feature-update-overview.md | 2 +-
.../windows-autopatch-windows-quality-update-overview.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index f1cba8f922..4cc1f4a6ab 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -76,7 +76,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
> [!IMPORTANT]
> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-**To pause or resume a feature update:**
+**To pause or resume a Windows feature update:**
1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 4d4570df39..75c2765189 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -113,7 +113,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
> [!IMPORTANT]
> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
-**To pause or resume a quality update:**
+**To pause or resume a Windows quality update:**
1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
From 449ef376cd6d427c4f70977d68d1fa08106604d1 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 2 Feb 2023 13:45:40 -0800
Subject: [PATCH 26/45] Tweak
---
.../windows-autopatch-windows-feature-update-overview.md | 2 +-
.../windows-autopatch-windows-quality-update-overview.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 4cc1f4a6ab..e63ff0668b 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -74,7 +74,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
## Pausing and resuming a release
> [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
**To pause or resume a Windows feature update:**
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 75c2765189..52eb955e6c 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -111,7 +111,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release.
> [!IMPORTANT]
-> Pausing or resuming an update can take up to eight hours to be applied to devices, because Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
+> Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).
**To pause or resume a Windows quality update:**
From a5d38138e53544ff6bae3c632176c8bd97cb11e2 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Thu, 2 Feb 2023 15:47:50 -0800
Subject: [PATCH 27/45] Update faq-md-app-guard.yml
Added a section explaining how to open a support case
---
.../faq-md-app-guard.yml | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 816d5da3f4..49e6301d05 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -223,7 +223,12 @@ sections:
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
-
+
+ - question: |
+ How do I open a support ticket for Microsoft Defender Application Guard?
+ answer: |
+ Go to this link: https://support.serviceshub.microsoft.com/supportforbusiness/create
+ Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best desribes the issue, select, 'Windows Security Tecnologies'. In the final option, select, 'Windows Defender Application Guard'.
additionalContent: |
From 23e905f44f72161a78d85753cbaf8ea926d911a4 Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 2 Feb 2023 17:24:44 -0800
Subject: [PATCH 28/45] MEM not EM
---
.../windows-autopatch-windows-feature-update-overview.md | 2 +-
.../windows-autopatch-windows-quality-update-overview.md | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index e63ff0668b..59b3f9d138 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -78,7 +78,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
**To pause or resume a Windows feature update:**
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index 52eb955e6c..d4fc020a8f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -88,7 +88,7 @@ By default, the service expedites quality updates as needed. For those organizat
**To turn off service-driven expedited quality updates:**
-1. Go to **[Microsoft Endpoint Manager portal](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
+1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**.
2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting.
> [!NOTE]
@@ -100,7 +100,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
**To view deployed Out of Band quality updates:**
-1. Go to [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
> [!NOTE]
@@ -115,7 +115,7 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
**To pause or resume a Windows quality update:**
-1. Go to the [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **Devices** from the left navigation menu.
3. Under the **Windows Autopatch** section, select **Release management**.
4. In the **Release management** blade, select either: **Pause** or **Resume**.
From 2e1f63aeafd85cd4bf8dd817a0a46d2b4c0d360a Mon Sep 17 00:00:00 2001
From: tiaraquan
Date: Thu, 2 Feb 2023 17:38:04 -0800
Subject: [PATCH 29/45] Tiara you twit.
---
.../windows-autopatch-windows-quality-update-overview.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
index d4fc020a8f..c8ab6062c6 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md
@@ -100,7 +100,7 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea
**To view deployed Out of Band quality updates:**
-1. Go to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
+1. Go to [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431) > **Devices** > **Windows Autopatch** > **Release management**.
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates.
> [!NOTE]
From caf39b5a087c6455fb8f99e2b71e93d3f384ecd1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Fitt?=
<36852431+rafalfitt@users.noreply.github.com>
Date: Fri, 3 Feb 2023 10:13:18 +0100
Subject: [PATCH 30/45] Update
user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
sync with best practices, see https://github.com/MicrosoftDocs/windows-itpro-docs/commit/c66f5f99b1ee002661c50a9faa0adebe380d5c7f
---
...ntrol-behavior-of-the-elevation-prompt-for-standard-users.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
index 2bbf3a6015..1d3ea2ed65 100644
--- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
+++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md
@@ -78,7 +78,7 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro
### Countermeasure
-Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account.
+Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account.
### Potential impact
From 85b9ad323629942d53e26d6da3c7a01da461207a Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Fri, 3 Feb 2023 08:13:16 -0800
Subject: [PATCH 31/45] Update
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../microsoft-defender-application-guard/faq-md-app-guard.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 49e6301d05..3933bfc00f 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -227,7 +227,7 @@ sections:
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- Go to this link: https://support.serviceshub.microsoft.com/supportforbusiness/create
+ [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best desribes the issue, select, 'Windows Security Tecnologies'. In the final option, select, 'Windows Defender Application Guard'.
additionalContent: |
From e4e86344229fba0f81ac28593bf79be563c087b1 Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Fri, 3 Feb 2023 08:13:27 -0800
Subject: [PATCH 32/45] Update
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../microsoft-defender-application-guard/faq-md-app-guard.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 3933bfc00f..d7bbb33704 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -228,7 +228,7 @@ sections:
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
[Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best desribes the issue, select, 'Windows Security Tecnologies'. In the final option, select, 'Windows Defender Application Guard'.
+ Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
additionalContent: |
From b6ea2673755d1f8a80af9f1ea3e547762f7180b7 Mon Sep 17 00:00:00 2001
From: Andre Della Monica
Date: Fri, 3 Feb 2023 10:20:14 -0600
Subject: [PATCH 33/45] More changes
---
.../deploy/windows-autopatch-register-devices.md | 5 ++++-
.../windows-autopatch-windows-feature-update-overview.md | 2 +-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 17cf0bb228..8750604713 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 09/07/2022
+ms.date: 02/03/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -39,6 +39,9 @@ Windows Autopatch automatically runs its discover devices function every hour to
> [!NOTE]
> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand.
+> [!IMPORTANT]
+> Windows Autopatch supports only one level of group-nesting in the **Windows Autopatch Device Registration** Azure AD group.
+
#### Supported scenarios when nesting other Azure AD groups
Windows Autopatch also supports the following Azure AD nested group scenarios:
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
index 59b3f9d138..b58aa2938f 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md
@@ -91,7 +91,7 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym
If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update.
> [!NOTE]
-> The Service Paused status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
+> The **Service Paused** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf.
## Rollback
From 5d608ab8a48daac23c40b4197ec542efedda197a Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Fri, 3 Feb 2023 08:29:34 -0800
Subject: [PATCH 34/45] Update windows-autopatch-register-devices.md
---
.../deploy/windows-autopatch-register-devices.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 8750604713..ca625dc2d8 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -55,7 +55,7 @@ Azure AD groups synced up from:
> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
> [!IMPORTANT]
-> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups.
+> The **Windows Autopatch Device Registration** Azure AD group only supports **one level** of Azure AD nested groups.
### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
From 9a7f5b54e206ca0d5cf898d268c0657c8aa9e5ef Mon Sep 17 00:00:00 2001
From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com>
Date: Fri, 3 Feb 2023 08:42:56 -0800
Subject: [PATCH 35/45] Update windows-autopatch-register-devices.md
---
.../deploy/windows-autopatch-register-devices.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index ca625dc2d8..a6540780aa 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -39,9 +39,6 @@ Windows Autopatch automatically runs its discover devices function every hour to
> [!NOTE]
> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand.
-> [!IMPORTANT]
-> Windows Autopatch supports only one level of group-nesting in the **Windows Autopatch Device Registration** Azure AD group.
-
#### Supported scenarios when nesting other Azure AD groups
Windows Autopatch also supports the following Azure AD nested group scenarios:
From b7791e02072c87c14da2238db282c5337684ed34 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 3 Feb 2023 11:50:33 -0500
Subject: [PATCH 36/45] Update faq-md-app-guard.yml
Fix indentation
---
.../faq-md-app-guard.yml | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index d7bbb33704..a2c40f975e 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -222,13 +222,13 @@ sections:
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
- This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
+ This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
- - question: |
+ - question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
+ - Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
+ - Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
additionalContent: |
From 570db9497514aff2d94c59e5e602442aad7fd6e6 Mon Sep 17 00:00:00 2001
From: Evan Miller
Date: Fri, 3 Feb 2023 10:31:27 -0800
Subject: [PATCH 37/45] Update HL2 Policies
---
...es-in-policy-csp-supported-by-hololens2.md | 27 ++++++++++++++++---
1 file changed, 23 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index ee5e75bc24..7545fd6751 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.localizationpriority: medium
-ms.date: 08/01/2022
+ms.date: 02/03/2023
---
# Policies in Policy CSP supported by HoloLens 2
@@ -31,7 +31,20 @@ ms.date: 08/01/2022
- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth)
+- [Connectivity/AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices)
- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection)
+- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10
+- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10
+- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackbackground) 10
+- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#dodelaycacheserverfallbackforeground) 10
+- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#dodownloadmode) 10
+- [DeliveryOptimization/DOMaxBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxbackgrounddownloadbandwidth) 10
+- [DeliveryOptimization/DOMaxForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#domaxforegrounddownloadbandwidth) 10
+- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxbackgroundbandwidth) 10
+- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#dopercentagemaxforegroundbandwidth) 10
+- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitforegrounddownloadbandwidth) 10
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) 10
+- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#dosethourstolimitbackgrounddownloadbandwidth) 10
- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#allowidlereturnwithoutpassword)
- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#alphanumericdevicepasswordrequired)
@@ -44,7 +57,8 @@ ms.date: 08/01/2022
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#allowmanualmdmunenrollment)
-- [MixedReality/AADGroupMembershipCacheValidityInDays](policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays)
+- [MemoryDump/AllowCrashDump](policy-csp-memorydump.md#allowcrashdump)
+- [MemoryDump/AllowLivehDump](policy-csp-memorydump.md#allowlivedump)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) 9
- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalbeforelogon) 12
- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#allowlaunchuriinsingleappkiosk)10
@@ -78,6 +92,7 @@ ms.date: 08/01/2022
- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forceallowtheseapps)
- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_forcedenytheseapps)
- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessbackgroundspatialperception_userincontroloftheseapps)
+- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera)
- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccesscamera_forceallowtheseapps) 8
- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccesscamera_forcedenytheseapps) 8
- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccesscamera_userincontroloftheseapps) 8
@@ -85,13 +100,11 @@ ms.date: 08/01/2022
- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forceallowtheseapps) 8
- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_forcedenytheseapps) 8
- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessgazeinput_userincontroloftheseapps) 8
-- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#letappsaccesscamera)
- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#letappsaccesslocation)
- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#letappsaccessmicrophone)
- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forceallowtheseapps) 8
- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_forcedenytheseapps) 8
- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#letappsaccessmicrophone_userincontroloftheseapps) 8
-- [RemoteLock/Lock](./remotelock-csp.md) 9
- [Search/AllowSearchToUseLocation](policy-csp-search.md#allowsearchtouselocation)
- [Security/AllowAddProvisioningPackage](policy-csp-security.md#allowaddprovisioningpackage) 9
- [Security/AllowRemoveProvisioningPackage](policy-csp-security.md#allowremoveprovisioningpackage) 9
@@ -105,9 +118,15 @@ ms.date: 08/01/2022
- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12
- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12
- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline)
+- [System/AllowDeviceNameInDiagnosticData](policy-csp-system.md#allowdevicenameindiagnosticdata)
- [System/AllowLocation](policy-csp-system.md#allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
+- [System/ConfigureTelemetryOptInSettingsUx](policy-csp-system.md#configuretelemetryoptinsettingsux)
+- [System/DisableDeviceDelete](policy-csp-system.md#disabledevicedelete)
+- [System/FeedbackHubAlwaysSaveDiagnosticsLocally](policy-csp-system.md#feedbackhubalwayssavediagnosticslocally)
+- [System/LimitDiagnosticLogCollection](policy-csp-system.md#limitdumpcollection)
+- [System/LimitDumpCollection](policy-csp-system.md#limitdumpcollection)
- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9
- [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9
- [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9
From 7e5f1d94241d4e2bdf494ba5723e5e57ff36de77 Mon Sep 17 00:00:00 2001
From: Evan Miller
Date: Fri, 3 Feb 2023 12:50:04 -0800
Subject: [PATCH 38/45] smart retry
---
.../mdm/policies-in-policy-csp-supported-by-hololens2.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 7545fd6751..77fc83e9b7 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -19,6 +19,7 @@ ms.date: 02/03/2023
- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock)
- [ApplicationManagement/RequirePrivateStoreOnly](policy-csp-applicationmanagement.md#requireprivatestoreonly) 11
+- [ApplicationManagement/ScheduleForceRestartForUpdateFailures](policy-csp-applicationmanagement.md#smart-retry-for-app-updates)
- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname)
- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode)
From e9bcec3340493a4eee30d6d7c60ce8e712b67138 Mon Sep 17 00:00:00 2001
From: Evan Miller
Date: Fri, 3 Feb 2023 15:01:49 -0800
Subject: [PATCH 39/45] DO policies only
---
.../mdm/policies-in-policy-csp-supported-by-hololens2.md | 9 ---------
1 file changed, 9 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 77fc83e9b7..ba9efea9af 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -32,7 +32,6 @@ ms.date: 02/03/2023
- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](policy-csp-browser.md#allowsmartscreen)
- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#allowbluetooth)
-- [Connectivity/AllowConnectedDevices](policy-csp-connectivity.md#allowconnecteddevices)
- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#allowusbconnection)
- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#docachehost) 10
- [DeliveryOptimization/DOCacheHostSource](policy-csp-deliveryoptimization.md#docachehostsource) 10
@@ -58,8 +57,6 @@ ms.date: 02/03/2023
- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#mindevicepasswordlength)
- [Experience/AllowCortana](policy-csp-experience.md#allowcortana)
- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#allowmanualmdmunenrollment)
-- [MemoryDump/AllowCrashDump](policy-csp-memorydump.md#allowcrashdump)
-- [MemoryDump/AllowLivehDump](policy-csp-memorydump.md#allowlivedump)
- [MixedReality/AADGroupMembershipCacheValidityInDays](./policy-csp-mixedreality.md#aadgroupmembershipcachevalidityindays) 9
- [MixedReality/AllowCaptivePortalBeforeLogon](./policy-csp-mixedreality.md#allowcaptiveportalbeforelogon) 12
- [MixedReality/AllowLaunchUriInSingleAppKiosk](./policy-csp-mixedreality.md#allowlaunchuriinsingleappkiosk)10
@@ -119,15 +116,9 @@ ms.date: 02/03/2023
- [Storage/ConfigStorageSenseDownloadsCleanupThreshold](policy-csp-storage.md#configstoragesensedownloadscleanupthreshold) 12
- [Storage/ConfigStorageSenseGlobalCadence](policy-csp-storage.md#configstoragesenseglobalcadence) 12
- [System/AllowCommercialDataPipeline](policy-csp-system.md#allowcommercialdatapipeline)
-- [System/AllowDeviceNameInDiagnosticData](policy-csp-system.md#allowdevicenameindiagnosticdata)
- [System/AllowLocation](policy-csp-system.md#allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#allowtelemetry)
-- [System/ConfigureTelemetryOptInSettingsUx](policy-csp-system.md#configuretelemetryoptinsettingsux)
-- [System/DisableDeviceDelete](policy-csp-system.md#disabledevicedelete)
-- [System/FeedbackHubAlwaysSaveDiagnosticsLocally](policy-csp-system.md#feedbackhubalwayssavediagnosticslocally)
-- [System/LimitDiagnosticLogCollection](policy-csp-system.md#limitdumpcollection)
-- [System/LimitDumpCollection](policy-csp-system.md#limitdumpcollection)
- [TimeLanguageSettings/ConfigureTimeZone](./policy-csp-timelanguagesettings.md#configuretimezone) 9
- [Update/ActiveHoursEnd](./policy-csp-update.md#activehoursend) 9
- [Update/ActiveHoursMaxRange](./policy-csp-update.md#activehoursmaxrange) 9
From 114800510e628934b17cd8be078c16d6a3a5c312 Mon Sep 17 00:00:00 2001
From: Evan Miller
Date: Fri, 3 Feb 2023 15:46:13 -0800
Subject: [PATCH 40/45] fix link
---
.../mdm/policies-in-policy-csp-supported-by-hololens2.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index ba9efea9af..b34eebfedb 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -19,7 +19,7 @@ ms.date: 02/03/2023
- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#allowdeveloperunlock)
- [ApplicationManagement/RequirePrivateStoreOnly](policy-csp-applicationmanagement.md#requireprivatestoreonly) 11
-- [ApplicationManagement/ScheduleForceRestartForUpdateFailures](policy-csp-applicationmanagement.md#smart-retry-for-app-updates)
+- [ApplicationManagement/ScheduleForceRestartForUpdateFailures](policy-csp-applicationmanagement.md#scheduleforcerestartforupdatefailures)
- [Authentication/AllowFastReconnect](policy-csp-authentication.md#allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#preferredaadtenantdomainname)
- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#allowdiscoverablemode)
From f45f167b9be4f7d7c50098cfcf19ff63fd67e466 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 6 Feb 2023 12:59:17 -0500
Subject: [PATCH 41/45] Draft for CSP DDF files
---
.../mdm/configuration-service-provider-ddf.md | 575 +++++++++++++++++-
1 file changed, 572 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 4a903492c4..0825b38037 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -1,7 +1,7 @@
---
title: Configuration service provider DDF files
description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -14,7 +14,565 @@ ms.collection: highpri
# Configuration service provider DDF files
-This topic shows the OMA DM device description framework (DDF) for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
+This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
+
+As of December 2022, DDF files schema was updated to include additional information such as OS build applicability. DDF v2 files for Windows 10 and Windows 11 are combined, and provided in a single download:
+
+- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
+
+## DDF v2 schema
+
+DDF v2 schema is listed below:
+
+```xml
+
+
+
+
+
+ Starting point for DDF
+
+
+
+
+
+
+
+
+
+
+
+
+ Main Recurring XML tag describing nodes of the CSP
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+DDF v2 files also include a reference to the `MSFT` namespace. Schema for the `MSFT` namespace is listed below:
+
+```xml
+
+
+
+
+ This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature.
+
+
+
+
+ This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set.
+
+
+
+
+
+
+
+ This node contains information on how to dynamically name the node such that the name is valid.
+
+
+
+
+
+ This indicates that the server should generate a unique identifier for the node.
+
+
+
+
+ This indicates that the client will generate the name of the node based on the device state (such as inventorying apps).
+
+
+
+
+ This indicates that the server should name the node, and the value listed gives a regex to define what is allowed.
+
+
+
+
+
+
+
+
+ The type of the conflict resolution.
+
+
+
+
+ No policy merge.
+
+
+
+
+ The lowest value is the most secure policy value.
+
+
+
+
+ The highest value is the most secure policy value.
+
+
+
+
+ The last written value is current value
+
+
+
+
+ The lowest value is the most secure policy value unless the value is zero.
+
+
+
+
+ The highest value is the most secure policy value unless the value is zero.
+
+
+
+
+
+
+
+ These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes.
+
+
+
+
+
+ This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release."
+
+
+
+
+ This tag describes the lowest CSP Version that the node was released to.
+
+
+
+
+ This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business.
+
+
+
+
+ This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable.
+
+
+
+
+
+
+
+ These tags describe what values are allowed to be set for this particular node.
+
+
+
+
+
+
+
+
+
+ This attribute describes what kind of Allowed Values tag this is.
+
+
+
+
+
+ This attribute indicates that the Value tag contains an XSD for the node.
+
+
+
+
+ This attribute indicates that the Value tag contains a RegEx for the node.
+
+
+
+
+ This attribute indicates that the node can be described by an external ADMX file.
+
+
+
+
+ This attribute indicates that the node can be described by a JSON schema.
+
+
+
+
+ This attribute indicates that the allowed values are an enumeration.
+
+
+
+
+ This attribute indicates that the allowed values can be combined into a bitwise flag.
+
+
+
+
+ This attribute indicates that the allowed values are a numerical range.
+
+
+
+
+ This attribute indicates that the allowed values are a string in the SDDL format.
+
+
+
+
+ This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values.
+
+
+
+
+
+
+
+
+
+
+
+ This tag indicates that the node input can contain multiple, delimited values.
+
+
+
+
+ This attribute details the delimeter used for the list of values.
+
+
+
+
+
+
+
+
+
+
+ This tag indicates an allowed value.
+
+
+
+
+ This tag gives further description to an allowed value, such as for an enumeration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This tag gives details for one particular enumeration of the allowed values.
+
+
+
+
+
+
+
+
+
+ This tag indicates the relevent details for the corresponding ADMX policy for this node.
+
+
+
+
+ This attribute gives the area path of the ADMX policy.
+
+
+
+
+ This attribute gives the name of the ADMX policy.
+
+
+
+
+ This attribute gives the filename for the ADMX policy.
+
+
+
+
+
+
+ This tag details the replace behavior of the node.
+
+
+
+
+
+ When performing a replace operation on this node, the value is appending to the existing node data.
+
+
+
+
+ When performing a replace operation on this node, the existing node data is removed before new data is added.
+
+
+
+
+
+
+
+ This tag describes the reboot behavior of the node.
+
+
+
+
+
+ No reboot is required for this node.
+
+
+
+
+ This node will automatically perform a reboot to take effect.
+
+
+
+
+ This node needs a reboot initiated from an external source to take effect.
+
+
+
+
+
+
+
+ This tag details the information necessary to map this node to an existing group policy.
+
+
+
+
+ This attribute details the English name of the GP.
+
+
+
+
+ This attribute details the area path of the GP.
+
+
+
+
+ This attribute details a particular element of a GP that the CSP node maps to.
+
+
+
+
+
+
+ This tag lists out common error HRESULTS reported by the CSP and English text to associate with them.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client.
+
+
+
+
+ These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP.
+
+
+
+
+
+
+
+
+
+ This tag describes a dependency that the current CSP node has on another nodes in the same CSP.
+
+
+
+
+
+ The URI that the current CSP node has a dependency on.
+
+
+
+
+
+
+ This tag details the kind of dependency.
+
+
+
+
+
+ The current node depends on the dependency holding a certain value.
+
+
+
+
+ The current node depends on the dependency not holding a certain value.
+
+
+
+
+
+
+
+
+
+ This tag details one specific dependency. A node might have multiple different dependencies.
+
+
+
+
+
+
+
+
+ This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies.
+
+
+
+
+
+
+ This tag details the values that the dependency must be set to for the dependency to be satisfied.
+
+
+
+
+
+
+
+
+ This tag details a change to the current node's allowed values if the dependency is satisfied.
+
+
+
+
+
+
+
+```
+
+## Older DDF files
You can download the DDF files for various CSPs from the links below:
@@ -26,4 +584,15 @@ You can download the DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-You can download DDF file for Policy CSP from [Policy DDF file](policy-ddf-file.md).
+You can view various Policy area DDF files by clicking the following links:
+
+- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
+- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
+- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
+- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
+- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
+- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
+- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
+- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
+- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
+- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
From 22ab373428424a3e15682609b2aa8f970761557c Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 6 Feb 2023 14:11:04 -0500
Subject: [PATCH 42/45] Update
---
.openpublishing.redirection.json | 27 +-
.../mdm/configuration-service-provider-ddf.md | 1058 +++++++++--------
.../client-management/mdm/policy-ddf-file.md | 32 -
3 files changed, 547 insertions(+), 570 deletions(-)
delete mode 100644 windows/client-management/mdm/policy-ddf-file.md
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index e6a9c13cf5..22639222c2 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19463,7 +19463,7 @@
{
"source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md",
"redirect_url": "/microsoft-365/security/intelligence/rootkits-malware",
- "redirect_document_id": false
+ "redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md",
@@ -20114,7 +20114,7 @@
"source_path": "windows/deployment/update/update-compliance-v2-enable.md",
"redirect_url": "/windows/deployment/update/wufb-reports-enable",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-help.md",
"redirect_url": "/windows/deployment/update/wufb-reports-help",
@@ -20124,22 +20124,22 @@
"source_path": "windows/deployment/update/update-compliance-v2-overview.md",
"redirect_url": "/windows/deployment/update/wufb-reports-overview",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-prerequisites.md",
"redirect_url": "/windows/deployment/update/wufb-reports-prerequisites",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucclient.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclient",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus",
@@ -20149,17 +20149,17 @@
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucdevicealert",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema-ucupdatealert",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/update/update-compliance-v2-schema.md",
"redirect_url": "/windows/deployment/update/wufb-reports-schema",
@@ -20194,7 +20194,7 @@
"source_path": "windows/deployment/planning/features-lifecycle.md",
"redirect_url": "/windows/whats-new/feature-lifecycle",
"redirect_document_id": false
- },
+ },
{
"source_path": "windows/deployment/planning/windows-10-deprecated-features.md",
"redirect_url": "/windows/whats-new/deprecated-features",
@@ -20205,7 +20205,7 @@
"redirect_url": "/windows/whats-new/removed-features",
"redirect_document_id": false
},
- {
+ {
"source_path": "windows/deployment/usmt/usmt-common-issues.md",
"redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues",
"redirect_document_id": false
@@ -20514,6 +20514,11 @@
"source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md",
"redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies",
"redirect_document_id": true
+ },
+ {
+ "source_path": "windows-docs-pr/windows/client-management/mdm/policy-ddf-file.md",
+ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
+ "redirect_document_id": true
}
]
}
diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md
index 0825b38037..b55b3ce963 100644
--- a/windows/client-management/mdm/configuration-service-provider-ddf.md
+++ b/windows/client-management/mdm/configuration-service-provider-ddf.md
@@ -16,565 +16,569 @@ ms.collection: highpri
This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML.
-As of December 2022, DDF files schema was updated to include additional information such as OS build applicability. DDF v2 files for Windows 10 and Windows 11 are combined, and provided in a single download:
+As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download:
- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip)
## DDF v2 schema
-DDF v2 schema is listed below:
+DDF v2 XML schema definition is listed below along with the schema definition for the referenced `MSFT` namespace.
-```xml
-
-
-
-
-
- Starting point for DDF
-
-
-
-
-
-
-
-
-
-
-
-
- Main Recurring XML tag describing nodes of the CSP
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-```
+- Schema definition for DDF v2:
-DDF v2 files also include a reference to the `MSFT` namespace. Schema for the `MSFT` namespace is listed below:
-
-```xml
-
-
-
-
- This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature.
-
-
-
-
- This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set.
-
-
-
-
-
-
-
- This node contains information on how to dynamically name the node such that the name is valid.
-
-
-
-
-
- This indicates that the server should generate a unique identifier for the node.
-
-
-
-
- This indicates that the client will generate the name of the node based on the device state (such as inventorying apps).
-
-
-
-
- This indicates that the server should name the node, and the value listed gives a regex to define what is allowed.
-
-
-
-
-
-
-
-
- The type of the conflict resolution.
-
-
-
-
- No policy merge.
-
-
-
-
- The lowest value is the most secure policy value.
-
-
-
-
- The highest value is the most secure policy value.
-
-
-
-
- The last written value is current value
-
-
-
-
- The lowest value is the most secure policy value unless the value is zero.
-
-
-
-
- The highest value is the most secure policy value unless the value is zero.
-
-
-
-
-
-
-
- These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes.
-
-
-
-
-
- This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release."
-
-
-
-
- This tag describes the lowest CSP Version that the node was released to.
-
-
-
-
- This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business.
-
-
-
-
- This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable.
-
-
-
-
-
-
-
- These tags describe what values are allowed to be set for this particular node.
-
-
-
-
-
-
-
-
-
- This attribute describes what kind of Allowed Values tag this is.
-
-
-
-
-
- This attribute indicates that the Value tag contains an XSD for the node.
-
-
-
-
- This attribute indicates that the Value tag contains a RegEx for the node.
-
-
-
-
- This attribute indicates that the node can be described by an external ADMX file.
-
-
-
-
- This attribute indicates that the node can be described by a JSON schema.
-
-
-
-
- This attribute indicates that the allowed values are an enumeration.
-
-
-
-
- This attribute indicates that the allowed values can be combined into a bitwise flag.
-
-
-
-
- This attribute indicates that the allowed values are a numerical range.
-
-
-
-
- This attribute indicates that the allowed values are a string in the SDDL format.
-
-
-
-
- This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values.
-
-
-
-
-
-
-
-
-
-
+ ```xml
+
+
+
+
- This tag indicates that the node input can contain multiple, delimited values.
+ Starting point for DDF
-
-
- This attribute details the delimeter used for the list of values.
-
-
+
+
+
+
+
-
-
-
-
-
+
+
- This tag indicates an allowed value.
+ Main Recurring XML tag describing nodes of the CSP
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ ```
+
+- Schema definition for the `MSFT` namespace:
+
+ ```xml
+
+
+
+
+ This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature.
-
+
- This tag gives further description to an allowed value, such as for an enumeration.
+ This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set.
+
+
+
-
-
-
-
-
-
-
-
-
-
-
- This tag gives details for one particular enumeration of the allowed values.
-
-
-
-
-
-
-
-
-
- This tag indicates the relevent details for the corresponding ADMX policy for this node.
-
-
-
+
- This attribute gives the area path of the ADMX policy.
+ This node contains information on how to dynamically name the node such that the name is valid.
-
-
-
- This attribute gives the name of the ADMX policy.
-
-
-
-
- This attribute gives the filename for the ADMX policy.
-
-
-
-
-
-
- This tag details the replace behavior of the node.
-
-
-
-
-
- When performing a replace operation on this node, the value is appending to the existing node data.
-
-
-
-
- When performing a replace operation on this node, the existing node data is removed before new data is added.
-
-
-
-
-
-
-
- This tag describes the reboot behavior of the node.
-
-
-
-
-
- No reboot is required for this node.
-
-
-
-
- This node will automatically perform a reboot to take effect.
-
-
-
-
- This node needs a reboot initiated from an external source to take effect.
-
-
-
-
-
-
-
- This tag details the information necessary to map this node to an existing group policy.
-
-
-
-
- This attribute details the English name of the GP.
-
-
-
-
- This attribute details the area path of the GP.
-
-
-
-
- This attribute details a particular element of a GP that the CSP node maps to.
-
-
-
-
-
-
- This tag lists out common error HRESULTS reported by the CSP and English text to associate with them.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client.
-
-
-
-
- These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP.
-
-
-
-
-
-
-
-
-
- This tag describes a dependency that the current CSP node has on another nodes in the same CSP.
-
-
-
-
-
- The URI that the current CSP node has a dependency on.
-
-
-
-
-
-
- This tag details the kind of dependency.
-
-
-
-
+
+
+
- The current node depends on the dependency holding a certain value.
+ This indicates that the server should generate a unique identifier for the node.
+
+
+
+
+ This indicates that the client will generate the name of the node based on the device state (such as inventorying apps).
+
+
+
+
+ This indicates that the server should name the node, and the value listed gives a regex to define what is allowed.
+
+
+
+
+
+
+
+
+ The type of the conflict resolution.
+
+
+
+
+ No policy merge.
-
+
- The current node depends on the dependency not holding a certain value.
+ The lowest value is the most secure policy value.
+
+
+
+
+ The highest value is the most secure policy value.
+
+
+
+
+ The last written value is current value
+
+
+
+
+ The lowest value is the most secure policy value unless the value is zero.
+
+
+
+
+ The highest value is the most secure policy value unless the value is zero.
-
-
-
-
-
- This tag details one specific dependency. A node might have multiple different dependencies.
-
-
-
-
-
-
-
+
+
- This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies.
+ These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes.
-
-
-
-
-
- This tag details the values that the dependency must be set to for the dependency to be satisfied.
-
-
-
-
-
-
-
-
- This tag details a change to the current node's allowed values if the dependency is satisfied.
-
-
-
-
-
-
-
-```
+
+
+
+
+ This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release."
+
+
+
+
+ This tag describes the lowest CSP Version that the node was released to.
+
+
+
+
+ This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business.
+
+
+
+
+ This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable.
+
+
+
+
+
+
+
+ These tags describe what values are allowed to be set for this particular node.
+
+
+
+
+
+
+
+
+
+ This attribute describes what kind of Allowed Values tag this is.
+
+
+
+
+
+ This attribute indicates that the Value tag contains an XSD for the node.
+
+
+
+
+ This attribute indicates that the Value tag contains a RegEx for the node.
+
+
+
+
+ This attribute indicates that the node can be described by an external ADMX file.
+
+
+
+
+ This attribute indicates that the node can be described by a JSON schema.
+
+
+
+
+ This attribute indicates that the allowed values are an enumeration.
+
+
+
+
+ This attribute indicates that the allowed values can be combined into a bitwise flag.
+
+
+
+
+ This attribute indicates that the allowed values are a numerical range.
+
+
+
+
+ This attribute indicates that the allowed values are a string in the SDDL format.
+
+
+
+
+ This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values.
+
+
+
+
+
+
+
+
+
+
+
+ This tag indicates that the node input can contain multiple, delimited values.
+
+
+
+
+ This attribute details the delimeter used for the list of values.
+
+
+
+
+
+
+
+
+
+
+ This tag indicates an allowed value.
+
+
+
+
+ This tag gives further description to an allowed value, such as for an enumeration.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This tag gives details for one particular enumeration of the allowed values.
+
+
+
+
+
+
+
+
+
+ This tag indicates the relevent details for the corresponding ADMX policy for this node.
+
+
+
+
+ This attribute gives the area path of the ADMX policy.
+
+
+
+
+ This attribute gives the name of the ADMX policy.
+
+
+
+
+ This attribute gives the filename for the ADMX policy.
+
+
+
+
+
+
+ This tag details the replace behavior of the node.
+
+
+
+
+
+ When performing a replace operation on this node, the value is appending to the existing node data.
+
+
+
+
+ When performing a replace operation on this node, the existing node data is removed before new data is added.
+
+
+
+
+
+
+
+ This tag describes the reboot behavior of the node.
+
+
+
+
+
+ No reboot is required for this node.
+
+
+
+
+ This node will automatically perform a reboot to take effect.
+
+
+
+
+ This node needs a reboot initiated from an external source to take effect.
+
+
+
+
+
+
+
+ This tag details the information necessary to map this node to an existing group policy.
+
+
+
+
+ This attribute details the English name of the GP.
+
+
+
+
+ This attribute details the area path of the GP.
+
+
+
+
+ This attribute details a particular element of a GP that the CSP node maps to.
+
+
+
+
+
+
+ This tag lists out common error HRESULTS reported by the CSP and English text to associate with them.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client.
+
+
+
+
+ These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP.
+
+
+
+
+
+
+
+
+
+ This tag describes a dependency that the current CSP node has on another nodes in the same CSP.
+
+
+
+
+
+ The URI that the current CSP node has a dependency on.
+
+
+
+
+
+
+ This tag details the kind of dependency.
+
+
+
+
+
+ The current node depends on the dependency holding a certain value.
+
+
+
+
+ The current node depends on the dependency not holding a certain value.
+
+
+
+
+
+
+
+
+
+ This tag details one specific dependency. A node might have multiple different dependencies.
+
+
+
+
+
+
+
+
+ This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies.
+
+
+
+
+
+
+ This tag details the values that the dependency must be set to for the dependency to be satisfied.
+
+
+
+
+
+
+
+
+ This tag details a change to the current node's allowed values if the dependency is satisfied.
+
+
+
+
+
+
+
+ ```
## Older DDF files
-You can download the DDF files for various CSPs from the links below:
+You can download the older DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip)
@@ -584,7 +588,7 @@ You can download the DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-You can view various Policy area DDF files by clicking the following links:
+You can download the older Policy area DDF files by clicking the following links:
- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
deleted file mode 100644
index 07c6ded973..0000000000
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ /dev/null
@@ -1,32 +0,0 @@
----
-title: Policy DDF file
-description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
-ms.reviewer:
-manager: aaroncz
-ms.author: vinpa
-ms.topic: article
-ms.prod: windows-client
-ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.localizationpriority: medium
-ms.date: 10/28/2020
----
-
-# Policy DDF file
-
-This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-
-You can view various Policy DDF files by clicking the following links:
-
-- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml)
-- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml)
-- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml)
-- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml)
-- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
-- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml)
-- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
-- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
-- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
-- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
-
-You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-ddf.md).
From 7c4072364c07f884a57c5acf3dc4c6d74adc71d2 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 6 Feb 2023 14:12:19 -0500
Subject: [PATCH 43/45] Update TOC
---
windows/client-management/mdm/toc.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 919e4cac79..d35962adb6 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -34,7 +34,7 @@ items:
href: policy-configuration-service-provider.md
items:
- name: Policy CSP DDF file
- href: policy-ddf-file.md
+ href: configuration-service-provider-ddf.md
- name: Policy CSP support scenarios
items:
- name: ADMX policies in Policy CSP
From 8607282adad6d98f8843d5dcc5180b0cb9955e14 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 6 Feb 2023 14:20:41 -0500
Subject: [PATCH 44/45] Fix broken links
---
.../change-history-for-mdm-documentation.md | 8 ++++----
windows/client-management/mdm/index.yml | 2 +-
.../mdm/policy-csp-controlpolicyconflict.md | 2 +-
.../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md
index b77a1761a8..5b7f08ac50 100644
--- a/windows/client-management/change-history-for-mdm-documentation.md
+++ b/windows/client-management/change-history-for-mdm-documentation.md
@@ -185,7 +185,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.|
|[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.|
|[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.|
-|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
+|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:Browser/AllowFullScreenModeBrowser/AllowPrelaunchBrowser/AllowPrintingBrowser/AllowSavingHistoryBrowser/AllowSideloadingOfExtensionsBrowser/AllowTabPreloadingBrowser/AllowWebContentOnNewTabPageBrowser/ConfigureFavoritesBarBrowser/ConfigureHomeButtonBrowser/ConfigureKioskModeBrowser/ConfigureKioskResetAfterIdleTimeoutBrowser/ConfigureOpenMicrosoftEdgeWithBrowser/ConfigureTelemetryForMicrosoft365AnalyticsBrowser/PreventCertErrorOverridesBrowser/SetHomeButtonURLBrowser/SetNewTabPageURLBrowser/UnlockHomeButtonExperience/DoNotSyncBrowserSettingsExperience/PreventUsersFromTurningOnBrowserSyncingKerberos/UPNNameHintsPrivacy/AllowCrossDeviceClipboardPrivacyDisablePrivacyExperiencePrivacy/UploadUserActivitiesSystem/AllowDeviceNameInDiagnosticDataSystem/ConfigureMicrosoft365UploadEndpointSystem/DisableDeviceDeleteSystem/DisableDiagnosticDataViewerStorage/RemovableDiskDenyWriteAccessUpdate/UpdateNotificationLevel
Start/DisableContextMenus - added in Windows 10, version 1803.
RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.|
## July 2018
@@ -217,7 +217,7 @@ As of November 2020 This page will no longer be updated. This article lists new
|New or updated article|Description|
|--- |--- |
-|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
+|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)|
## April 2018
@@ -281,7 +281,7 @@ As of November 2020 This page will no longer be updated. This article lists new
| New or updated article | Description |
| --- | --- |
-| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
+| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. |
| [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:
- Defender/ControlledFolderAccessAllowedApplications - string separator is `|`
- Defender/ControlledFolderAccessProtectedFolders - string separator is `|` |
| [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. |
| [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. |
@@ -313,5 +313,5 @@ As of November 2020 This page will no longer be updated. This article lists new
|[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:Installation/CurrentStatus|
|[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.|
|[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.Changed some data types from integer to bool.Updated the list of supported operations for some settings.Added default values.|
-|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:Browser/AllowMicrosoftCompatibilityListUpdate/DisableDualScanUpdate/FillEmptyContentUrls|
+|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:Browser/AllowMicrosoftCompatibilityListUpdate/DisableDualScanUpdate/FillEmptyContentUrls|
|[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:Browser/ProvisionFavoritesBrowser/LockdownFavoritesExploitGuard/ExploitProtectionSettingsGames/AllowAdvancedGamingServicesLocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccountsLocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnlyLocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccountLocalPoliciesSecurityOptions/Accounts_RenameGuestAccountLocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLockedLocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedInLocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignInLocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDELLocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimitLocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOnLocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOnLocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequestsLocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOnLocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevationLocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministratorsLocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsersLocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidatedLocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocationsLocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalModeLocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevationLocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocationsPrivacy/EnableActivityFeedPrivacy/PublishUserActivitiesUpdate/DisableDualScanUpdate/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.
Changed the names of the following policies:Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplicationsDefender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFoldersDefender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess
Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).
There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:Privacy/AllowAutoAcceptPairingAndPrivacyConsentPromptsStart/HideAppList|
diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml
index d8bd8ed982..db2be7efaf 100644
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@@ -47,7 +47,7 @@ landingContent:
- text: Policy CSP
url: policy-configuration-service-provider.md
- text: Policy DDF file
- url: policy-ddf-file.md
+ url: configuration-service-provider-ddf.md
- text: Policy CSP - Start
url: policy-csp-start.md
- text: Policy CSP - Update
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index f955123b29..b6865f7b07 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -58,7 +58,7 @@ This ensures that:
- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
-The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP:
+The [Policy DDF](configuration-service-provider-ddf.md) contains the following tags to identify the policies with equivalent GP:
- \
- \
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 459b035faf..075a1bd389 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -19,7 +19,7 @@ ms.topic: reference
> [!NOTE]
-> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
+> To find data formats (and other policy-related details), see [Policy DDF file](./configuration-service-provider-ddf.md).
From fd9d7ac6ef6ee08dd128111579a334c9f1528a15 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Mon, 6 Feb 2023 14:21:48 -0500
Subject: [PATCH 45/45] Fix redirect
---
.openpublishing.redirection.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index 22639222c2..645db60d9e 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -20516,7 +20516,7 @@
"redirect_document_id": true
},
{
- "source_path": "windows-docs-pr/windows/client-management/mdm/policy-ddf-file.md",
+ "source_path": "windows/client-management/mdm/policy-ddf-file.md",
"redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf",
"redirect_document_id": true
}