diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index e6a9c13cf5..645db60d9e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19463,7 +19463,7 @@ { "source_path": "windows/security/threat-protection/intelligence/rootkits-malware.md", "redirect_url": "/microsoft-365/security/intelligence/rootkits-malware", - "redirect_document_id": false + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/safety-scanner-download.md", @@ -20114,7 +20114,7 @@ "source_path": "windows/deployment/update/update-compliance-v2-enable.md", "redirect_url": "/windows/deployment/update/wufb-reports-enable", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-help.md", "redirect_url": "/windows/deployment/update/wufb-reports-help", @@ -20124,22 +20124,22 @@ "source_path": "windows/deployment/update/update-compliance-v2-overview.md", "redirect_url": "/windows/deployment/update/wufb-reports-overview", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-prerequisites.md", "redirect_url": "/windows/deployment/update/wufb-reports-prerequisites", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclient.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclient", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientreadinessstatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientreadinessstatus", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucclientupdatestatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucclientupdatestatus", @@ -20149,17 +20149,17 @@ "source_path": "windows/deployment/update/update-compliance-v2-schema-ucdevicealert.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucdevicealert", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucserviceupdatestatus.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucserviceupdatestatus", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema-ucupdatealert.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema-ucupdatealert", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/update/update-compliance-v2-schema.md", "redirect_url": "/windows/deployment/update/wufb-reports-schema", @@ -20194,7 +20194,7 @@ "source_path": "windows/deployment/planning/features-lifecycle.md", "redirect_url": "/windows/whats-new/feature-lifecycle", "redirect_document_id": false - }, + }, { "source_path": "windows/deployment/planning/windows-10-deprecated-features.md", "redirect_url": "/windows/whats-new/deprecated-features", @@ -20205,7 +20205,7 @@ "redirect_url": "/windows/whats-new/removed-features", "redirect_document_id": false }, - { + { "source_path": "windows/deployment/usmt/usmt-common-issues.md", "redirect_url": "/troubleshoot/windows-client/deployment/usmt-common-issues", "redirect_document_id": false @@ -20514,6 +20514,11 @@ "source_path": "windows/deployment/windows-autopatch/references/windows-autopatch-wqu-unsupported-policies.md", "redirect_url": "/windows/deployment/windows-autopatch/references/windows-autopatch-windows-update-unsupported-policies", "redirect_document_id": true + }, + { + "source_path": "windows/client-management/mdm/policy-ddf-file.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", + "redirect_document_id": true } ] } diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index d36533a87e..361003c659 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -28,6 +28,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index f52e815de7..626d8e7d35 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,6 +24,9 @@ ], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier3" + ], "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.topic": "article", diff --git a/education/docfx.json b/education/docfx.json index fa2265b104..993809eee6 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -29,7 +29,10 @@ "globalMetadata": { "recommendations": true, "ms.topic": "article", - "ms.collection": "education", + "ms.collection": [ + "education", + "tier2" + ], "ms.prod": "windows-client", "ms.technology": "itpro-edu", "author": "paolomatarazzo", diff --git a/education/index.yml b/education/index.yml index ef45124188..29efffa3ae 100644 --- a/education/index.yml +++ b/education/index.yml @@ -45,7 +45,7 @@ productDirectory: text: Azure information protection deployment acceleration guide - url: /defender-cloud-apps/get-started text: Microsoft Defender for Cloud Apps - - url: /microsoft-365/compliance/create-test-tune-dlp-policy + - url: /microsoft-365/compliance/information-protection#prevent-data-loss text: Data loss prevention - url: /microsoft-365/compliance/ text: Microsoft Purview compliance diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 0901d32b40..c6fc526cd0 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- diff --git a/education/windows/change-home-to-edu.md b/education/windows/change-home-to-edu.md index 1826ecd768..fea632b61a 100644 --- a/education/windows/change-home-to-edu.md +++ b/education/windows/change-home-to-edu.md @@ -7,6 +7,9 @@ author: scottbreenmsft ms.author: scbree ms.reviewer: paoloma manager: jeffbu +ms.collection: + - tier3 + - education appliesto: - ✅ Windows 10 and later --- diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md index f377a4582c..a134019d38 100644 --- a/education/windows/change-to-pro-education.md +++ b/education/windows/change-to-pro-education.md @@ -7,6 +7,7 @@ appliesto: - ✅ Windows 10 ms.collection: - highpri + - tier2 - education --- @@ -147,7 +148,7 @@ Existing Azure AD domain joined devices will be changed to Windows 10 Pro Educat ### For new devices that are not Azure AD joined Now that you've turned on the setting to automatically change to Windows 10 Pro Education, the users are ready to change their devices running Windows 10 Pro, version 1607 or higher, version 1703 to Windows 10 Pro Education edition. -#### Step 1: Join users’ devices to Azure AD +#### Step 1: Join users' devices to Azure AD Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, version 1703. diff --git a/education/windows/configure-aad-google-trust.md b/education/windows/configure-aad-google-trust.md index 5198c4f4d6..60ad9dce9e 100644 --- a/education/windows/configure-aad-google-trust.md +++ b/education/windows/configure-aad-google-trust.md @@ -1,7 +1,7 @@ --- title: Configure federation between Google Workspace and Azure AD description: Configuration of a federated trust between Google Workspace and Azure AD, with Google Workspace acting as an identity provider (IdP) for Azure AD. -ms.date: 01/17/2023 +ms.date: 02/10/2023 ms.topic: how-to --- @@ -42,7 +42,7 @@ To test federation, the following prerequisites must be met: 1. On the *Service provider details* page - Select the option **Signed response** - Verify that the Name ID format is set to **PERSISTENT** - - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping. For more information, see (article to write).\ + - Depending on how the Azure AD users have been provisioned in Azure AD, you may need to adjust the **Name ID** mapping.\ If using Google auto-provisioning, select **Basic Information > Primary email** - Select **Continue** 1. On the *Attribute mapping* page, map the Google attributes to the Azure AD attributes diff --git a/education/windows/edu-stickers.md b/education/windows/edu-stickers.md index 023393a04f..56094c8023 100644 --- a/education/windows/edu-stickers.md +++ b/education/windows/edu-stickers.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Configure Stickers for Windows 11 SE diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md index 09ceb1908c..0ea3ad5e3d 100644 --- a/education/windows/federated-sign-in.md +++ b/education/windows/federated-sign-in.md @@ -5,6 +5,10 @@ ms.date: 01/12/2023 ms.topic: how-to appliesto: - ✅ Windows 11 SE +ms.collection: + - highpri + - tier1 + - education --- diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index 903d8182e3..53ac374a11 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Get Minecraft: Education Edition diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index fca31b0f6b..150285950b 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # For IT administrators - get Minecraft: Education Edition @@ -34,7 +35,7 @@ If you turn off this setting after students have been using Minecraft: Education Users in a Microsoft verified academic institution account will have access to the free trial limited logins for Minecraft: Education Edition. This grants faculty accounts 25 free logins and student accounts 10 free logins. To purchase direct licenses, see [Minecraft: Education Edition - direct purchase](#individual-copies). -If you’ve been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). +If you've been approved and are part of the Enrollment for Education Solutions volume license program, you can purchase a volume license for Minecraft: Education Edition. For more information, see [Minecraft: Education Edition - volume license](#volume-license). ### Minecraft: Education Edition - direct purchase @@ -48,7 +49,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions 5. Select the quantity of licenses you would like to purchase and select **Place Order**. -6. After you’ve purchased licenses, you’ll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). +6. After you've purchased licenses, you'll need to [assign them to users in the Admin Center](/microsoft-365/admin/manage/assign-licenses-to-users). If you need additional licenses for **Minecraft: Education Edition**, see [Buy or remove subscription licenses](/microsoft-365/commerce/licenses/buy-licenses). @@ -57,7 +58,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Buy o Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: - Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. -- You’ll receive an email with a link to Microsoft Store for Education. +- You'll receive an email with a link to Microsoft Store for Education. - Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) ## Minecraft: Education Edition payment options diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index df19ac8729..f11f1f684a 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # For teachers - get Minecraft: Education Edition diff --git a/education/windows/test-windows10s-for-edu.md b/education/windows/test-windows10s-for-edu.md index 06e17f21da..eaeda25979 100644 --- a/education/windows/test-windows10s-for-edu.md +++ b/education/windows/test-windows10s-for-edu.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier2 --- # Test Windows 10 in S mode on existing Windows 10 education devices diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 8a63a27c99..9b877306f7 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -8,6 +8,7 @@ appliesto: ms.collection: - highpri - education + - tier1 --- # Windows 11 SE Overview @@ -93,6 +94,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Class Policy` | 114.0.0 | Win32 | `Class Policy` | | `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` | | `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` | +| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` | | `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` | | `DRC INSIGHT Online Assessments` | 12.0.0.0 | `Store` | `Data recognition Corporation` | | `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` | @@ -104,7 +106,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` | | `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` | | `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` | -| `Google Chrome` | 102.0.5005.115 | Win32 | `Google` | +| `Google Chrome` | 109.0.5414.75 | Win32 | `Google` | | `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` | | `Immunet` | 7.5.8.21178 | Win32 | `Immunet` | | `Impero Backdrop Client` | 4.4.86 | Win32 | `Impero Software` | @@ -137,10 +139,10 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` | | `Safe Exam Browser` | 3.4.1.505 | Win32 | `Safe Exam Browser` | | `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` | -| `Smoothwall Monitor` | 2.8.0 | Win32 | `Smoothwall Ltd` | +| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` | | `SuperNova Magnifier & Screen Reader` | 21.02 | Win32 | `Dolphin Computer Access` | | `SuperNova Magnifier & Speech` | 21.02 | Win32 | `Dolphin Computer Access` | -|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` +|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` | | `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` | | `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` | | `WordQ` | 5.4.23 | Win32 | `Mathetmots` | diff --git a/education/windows/windows-11-se-settings-list.md b/education/windows/windows-11-se-settings-list.md index 774fca45dd..36e841ae91 100644 --- a/education/windows/windows-11-se-settings-list.md +++ b/education/windows/windows-11-se-settings-list.md @@ -5,6 +5,9 @@ ms.topic: article ms.date: 09/12/2022 appliesto: - ✅ Windows 11 SE +ms.collection: + - education + - tier1 --- # Windows 11 SE for Education settings list diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 9388758a6c..4be7b72365 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -32,6 +32,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", "ms.author": "trudyha", "audience": "ITPro", diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 4cd7b0588c..1c1b014b8d 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -35,6 +35,9 @@ "globalMetadata": { "recommendations": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", + "ms.collection": [ + "tier2" + ], "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-apps", "ms.topic": "article", diff --git a/windows/client-management/change-history-for-mdm-documentation.md b/windows/client-management/change-history-for-mdm-documentation.md index b77a1761a8..5b7f08ac50 100644 --- a/windows/client-management/change-history-for-mdm-documentation.md +++ b/windows/client-management/change-history-for-mdm-documentation.md @@ -185,7 +185,7 @@ As of November 2020 This page will no longer be updated. This article lists new |[RemoteWipe CSP](mdm/remotewipe-csp.md)|Added new settings in Windows 10, version 1809.| |[TenantLockdown CSP](mdm/tenantlockdown-csp.md)|Added new CSP in Windows 10, version 1809.| |[WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md)|Added new settings in Windows 10, version 1809.| -|[Policy DDF file](mdm/policy-ddf-file.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Posted an updated version of the Policy DDF for Windows 10, version 1809.| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies in Windows 10, version 1809:
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy
  • DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • Update/UpdateNotificationLevel

    Start/DisableContextMenus - added in Windows 10, version 1803.

    RestrictedGroups/ConfigureGroupMembership - added new schema to apply and retrieve the policy.| ## July 2018 @@ -217,7 +217,7 @@ As of November 2020 This page will no longer be updated. This article lists new |New or updated article|Description| |--- |--- | -|[Policy DDF file](mdm/policy-ddf-file.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
  • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
  • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Updated the DDF files in the Windows 10 version 1703 and 1709.
  • [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
  • [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)| ## April 2018 @@ -281,7 +281,7 @@ As of November 2020 This page will no longer be updated. This article lists new | New or updated article | Description | | --- | --- | -| [Policy DDF file](mdm/policy-ddf-file.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | +| [Policy DDF file](mdm/configuration-service-provider-ddf.md) | Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709. | | [Policy CSP](mdm/policy-configuration-service-provider.md) | Updated the following policies:

    - Defender/ControlledFolderAccessAllowedApplications - string separator is `|`
    - Defender/ControlledFolderAccessProtectedFolders - string separator is `|` | | [eUICCs CSP](mdm/euiccs-csp.md) | Added new CSP in Windows 10, version 1709. | | [AssignedAccess CSP](mdm/assignedaccess-csp.md) | Added SyncML examples for the new Configuration node. | @@ -313,5 +313,5 @@ As of November 2020 This page will no longer be updated. This article lists new |[Office CSP](mdm/office-csp.md)|Added the following setting in Windows 10, version 1709:
  • Installation/CurrentStatus| |[BitLocker CSP](mdm/bitlocker-csp.md)|Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to four digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.| |[Firewall CSP](mdm/firewall-csp.md)|Updated the CSP and DDF topics. Here are the changes:
  • Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
  • Changed some data types from integer to bool.
  • Updated the list of supported operations for some settings.
  • Added default values.| -|[Policy DDF file](mdm/policy-ddf-file.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls| +|[Policy DDF file](mdm/configuration-service-provider-ddf.md)|Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
  • Browser/AllowMicrosoftCompatibilityList
  • Update/DisableDualScan
  • Update/FillEmptyContentUrls| |[Policy CSP](mdm/policy-configuration-service-provider.md)|Added the following new policies for Windows 10, version 1709:
  • Browser/ProvisionFavorites
  • Browser/LockdownFavorites
  • ExploitGuard/ExploitProtectionSettings
  • Games/AllowAdvancedGamingServices
  • LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
  • LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
  • LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount
  • LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount
  • LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn
  • LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL
  • LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn
  • LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests
  • LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn
  • LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
  • LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated
  • LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
  • LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
  • LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation
  • LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations
  • Privacy/EnableActivityFeed
  • Privacy/PublishUserActivities
  • Update/DisableDualScan
  • Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork

    Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutopilotResetCredentials.

    Changed the names of the following policies:
  • Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications
  • Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders
  • Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess

    Added links to the extra [ADMX-backed BitLocker policies](mdm/policy-csp-bitlocker.md).

    There were issues reported with the previous release of the following policies. These issues were fixed in Windows 10, version 1709:
  • Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts
  • Start/HideAppList| diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 8c038b6c43..ae506a8cb0 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-manage", diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index 4a903492c4..b55b3ce963 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -1,7 +1,7 @@ --- title: Configuration service provider DDF files description: Learn more about the OMA DM device description framework (DDF) for various configuration service providers -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,9 +14,571 @@ ms.collection: highpri # Configuration service provider DDF files -This topic shows the OMA DM device description framework (DDF) for various configuration service providers. DDF files are used only with OMA DM provisioning XML. +This article lists the OMA DM device description framework (DDF) files for various configuration service providers. DDF files are used only with OMA DM provisioning XML. -You can download the DDF files for various CSPs from the links below: +As of December 2022, DDF XML schema was updated to include additional information such as OS build applicability. DDF v2 XML files for Windows 10 and Windows 11 are combined, and provided in a single download: + +- [DDF v2 Files, December 2022](https://download.microsoft.com/download/7/4/c/74c6daca-983e-4f16-964a-eef65b553a37/DDFv2December2022.zip) + +## DDF v2 schema + +DDF v2 XML schema definition is listed below along with the schema definition for the referenced `MSFT` namespace. + +- Schema definition for DDF v2: + + ```xml + + + + + + Starting point for DDF + + + + + + + + + + + + + Main Recurring XML tag describing nodes of the CSP + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ``` + +- Schema definition for the `MSFT` namespace: + + ```xml + + + + + This node contains an XML blob that can be used as an argument to the DiagnosticsLogCSP to pull diagnostics for a feature. + + + + + This node marks that a feature is deprecated. If included, OsBuildDeprecated gives the OS Build version that the node is no longer recommended to be set. + + + + + + + + This node contains information on how to dynamically name the node such that the name is valid. + + + + + + This indicates that the server should generate a unique identifier for the node. + + + + + This indicates that the client will generate the name of the node based on the device state (such as inventorying apps). + + + + + This indicates that the server should name the node, and the value listed gives a regex to define what is allowed. + + + + + + + + + The type of the conflict resolution. + + + + + No policy merge. + + + + + The lowest value is the most secure policy value. + + + + + The highest value is the most secure policy value. + + + + + The last written value is current value + + + + + The lowest value is the most secure policy value unless the value is zero. + + + + + The highest value is the most secure policy value unless the value is zero. + + + + + + + + These tags indicate what are required on the device for the node to be applicable to configured. These tags can be inherited by children nodes. + + + + + + This tag describes the first build that a feature is released to. If the feature was backported, multiple OS versions will be listed, such that the OS build version without a minor number is the first "major release." + + + + + This tag describes the lowest CSP Version that the node was released to. + + + + + This tag describes the list of Edition IDs that the features is allowed on. 0x88* refers to Windows Holographic for Business. + + + + + This tag indicates that the node requires the device to be Azure Active Directory Joined to be applicable. + + + + + + + + These tags describe what values are allowed to be set for this particular node. + + + + + + + + + + This attribute describes what kind of Allowed Values tag this is. + + + + + + This attribute indicates that the Value tag contains an XSD for the node. + + + + + This attribute indicates that the Value tag contains a RegEx for the node. + + + + + This attribute indicates that the node can be described by an external ADMX file. + + + + + This attribute indicates that the node can be described by a JSON schema. + + + + + This attribute indicates that the allowed values are an enumeration. + + + + + This attribute indicates that the allowed values can be combined into a bitwise flag. + + + + + This attribute indicates that the allowed values are a numerical range. + + + + + This attribute indicates that the allowed values are a string in the SDDL format. + + + + + This attribute indicates there is no data-driven way to define the allowed values of the node. This potentially means that all string values are valid values. + + + + + + + + + + + + This tag indicates that the node input can contain multiple, delimited values. + + + + + This attribute details the delimeter used for the list of values. + + + + + + + + + + + This tag indicates an allowed value. + + + + + This tag gives further description to an allowed value, such as for an enumeration. + + + + + + + + + + + + + + This tag gives details for one particular enumeration of the allowed values. + + + + + + + + + + This tag indicates the relevent details for the corresponding ADMX policy for this node. + + + + + This attribute gives the area path of the ADMX policy. + + + + + This attribute gives the name of the ADMX policy. + + + + + This attribute gives the filename for the ADMX policy. + + + + + + + This tag details the replace behavior of the node. + + + + + + When performing a replace operation on this node, the value is appending to the existing node data. + + + + + When performing a replace operation on this node, the existing node data is removed before new data is added. + + + + + + + + This tag describes the reboot behavior of the node. + + + + + + No reboot is required for this node. + + + + + This node will automatically perform a reboot to take effect. + + + + + This node needs a reboot initiated from an external source to take effect. + + + + + + + + This tag details the information necessary to map this node to an existing group policy. + + + + + This attribute details the English name of the GP. + + + + + This attribute details the area path of the GP. + + + + + This attribute details a particular element of a GP that the CSP node maps to. + + + + + + + This tag lists out common error HRESULTS reported by the CSP and English text to associate with them. + + + + + + + + + + + + + + + + + + + This tag indicates that this node and all children nodes should be enclosed by an Atomic tag when being sent to the client. + + + + + These tags detail potential dependencies that the current CSP node has on other nodes in the same CSP. + + + + + + + + + + This tag describes a dependency that the current CSP node has on another nodes in the same CSP. + + + + + + The URI that the current CSP node has a dependency on. + + + + + + + This tag details the kind of dependency. + + + + + + The current node depends on the dependency holding a certain value. + + + + + The current node depends on the dependency not holding a certain value. + + + + + + + + + + This tag details one specific dependency. A node might have multiple different dependencies. + + + + + + + + + This attribute gives a friendly ID to the dependency, to differentiate it from other dependencies. + + + + + + + This tag details the values that the dependency must be set to for the dependency to be satisfied. + + + + + + + + + This tag details a change to the current node's allowed values if the dependency is satisfied. + + + + + + + + ``` + +## Older DDF files + +You can download the older DDF files for various CSPs from the links below: - [Download all the DDF files for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/Windows10_2004_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1903](https://download.microsoft.com/download/6/F/0/6F019079-6EB0-41B5-88E8-D1CE77DBA27B/Windows10_1903_DDF_download.zip) @@ -26,4 +588,15 @@ You can download the DDF files for various CSPs from the links below: - [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) - [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) -You can download DDF file for Policy CSP from [Policy DDF file](policy-ddf-file.md). +You can download the older Policy area DDF files by clicking the following links: + +- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) +- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) +- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) +- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) +- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) +- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) +- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) +- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index d8bd8ed982..db2be7efaf 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -47,7 +47,7 @@ landingContent: - text: Policy CSP url: policy-configuration-service-provider.md - text: Policy DDF file - url: policy-ddf-file.md + url: configuration-service-provider-ddf.md - text: Policy CSP - Start url: policy-csp-start.md - text: Policy CSP - Update diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index e6748d67f8..2b636d3e4f 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/30/2023 +ms.date: 02/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -814,6 +814,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [SetPolicyDrivenUpdateSourceForOtherUpdates](policy-csp-update.md) - [SetEDURestart](policy-csp-update.md) - [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](policy-csp-update.md) +- [AllowTemporaryEnterpriseFeatureControl](policy-csp-update.md) - [SetDisableUXWUAccess](policy-csp-update.md) - [SetDisablePauseUXAccess](policy-csp-update.md) - [UpdateNotificationLevel](policy-csp-update.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index f0fcb85ef2..8a53921483 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -4538,7 +4538,7 @@ The first several links will also be pinned to the Start menu. A total of four l -This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, {searchTerms}). +This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with the text in the search box. To add an Internet search site, specify the URL of the search site in OpenSearch format with {searchTerms} for the query string (for example, `https://www.example.com/results.aspx?q={searchTerms}`). You can add up to five additional links to the "Search again" links at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links. diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md index 33a6b979ad..b94979f010 100644 --- a/windows/client-management/mdm/policy-csp-audit.md +++ b/windows/client-management/mdm/policy-csp-audit.md @@ -4,7 +4,7 @@ description: Learn more about the Audit Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -343,7 +343,7 @@ Volume: Low. -This policy allows you to audit the group memberhsip information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group memberhsip information cannot fit in a single security audit event. +This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event. @@ -836,7 +836,7 @@ Volume: Low. -This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see article 947223 in the Microsoft Knowledge Base (. +This policy setting allows you to audit events generated by special logons such as the following : The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged. For more information about this feature, see [article 947223 in the Microsoft Knowledge Base](). @@ -1083,7 +1083,7 @@ Volume: Low. This policy setting allows you to audit events generated by changes to distribution groups such as the following Distribution group is created, changed, or deleted. Member is added or removed from a distribution group. Distribution group type is changed. If you configure this policy setting, an audit event is generated when an attempt to change a distribution group is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when a distribution group changes +- If you do not configure this policy setting, no audit event is generated when a distribution group changes. > [!NOTE] > Events in this subcategory are logged only on domain controllers. @@ -1120,7 +1120,7 @@ Volume: Low. | Name | Value | |:--|:--| -| Name | Audit Distributio Group Management | +| Name | Audit Distribution Group Management | | Path | Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Account Management | @@ -1332,7 +1332,7 @@ Volume: Low. -This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see . If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. +This policy setting allows you to audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see [How to Use Data Protection](/dotnet/standard/security/how-to-use-data-protection). If you configure this policy setting, an audit event is generated when an encryption or decryption request is made to DPAPI. Success audits record successful requests and Failure audits record unsuccessful requests. - If you do not configure this policy setting, no audit event is generated when an encryption or decryption request is made to DPAPI. @@ -1825,7 +1825,7 @@ Volume: High on domain controllers. None on client computers. -This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged +This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted. When possible, events logged in this subcategory indicate the old and new values of the object's properties. Events in this subcategory are logged only on domain controllers, and only objects in AD DS with a matching system access control list (SACL) are logged. > [!NOTE] > Actions on some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. If you configure this policy setting, an audit event is generated when an attempt to change an object in AD DS is made. Success audits record successful attempts, however unsuccessful attempts are NOT recorded. @@ -2135,7 +2135,7 @@ Volume: Medium or Low on computers running Active Directory Certificate Services -This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures +This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access. If you configure this policy setting, an audit event is generated when an attempt is made to access a file or folder on a share. The administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] > There are no system access control lists (SACLs) for shared folders. @@ -2201,7 +2201,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit attempts to access a shared folder. If you configure this policy setting, an audit event is generated when an attempt is made to access a shared folder. -- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures +- If this policy setting is defined, the administrator can specify whether to audit only successes, only failures, or both successes and failures. > [!NOTE] > There are no system access control lists (SACLs) for shared folders. @@ -2267,7 +2267,7 @@ Volume: High on a file server or domain controller because of SYSVOL network acc This policy setting allows you to audit user attempts to access file system objects. A security audit event is generated only for objects that have system access control lists (SACL) specified, and only if the type of access requested, such as Write, Read, or Modify and the account making the request match the settings in the SACL. For more information about enabling object access auditing, see . If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL +- If you do not configure this policy setting, no audit event is generated when an account accesses a file system object with a matching SACL. > [!NOTE] > You can set a SACL on a file system object using the Security tab in that object's Properties dialog box. @@ -2455,7 +2455,7 @@ Volume: High. This policy setting allows you to audit events generated when a handle to an object is opened or closed. Only objects with a matching system access control list (SACL) generate security audit events. If you configure this policy setting, an audit event is generated when a handle is manipulated. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when a handle is manipulated +- If you do not configure this policy setting, no audit event is generated when a handle is manipulated. > [!NOTE] > Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated. @@ -2519,7 +2519,7 @@ Volume: Depends on how SACLs are configured. -This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events +This policy setting allows you to audit attempts to access the kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events. > [!NOTE] > The Audit Audit the access of global system objects policy setting controls the default SACL of kernel objects. @@ -2645,7 +2645,7 @@ Volume: Low. This policy setting allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists (SACLs) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL. If you configure this policy setting, an audit event is generated each time an account accesses a registry object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL +- If you do not configure this policy setting, no audit event is generated when an account accesses a registry object with a matching SACL. > [!NOTE] > You can set a SACL on a registry object using the Permissions dialog box. @@ -2771,10 +2771,10 @@ This policy setting allows you to audit user attempts to access file system obje This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects. SAM objects include the following SAM_ALIAS -- A local group. SAM_GROUP -- A group that is not a local group. SAM_USER - A user account. SAM_DOMAIN - A domain. SAM_SERVER - A computer account. If you configure this policy setting, an audit event is generated when an attempt to access a kernel object is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made +- If you do not configure this policy setting, no audit event is generated when an attempt to access a kernel object is made. > [!NOTE] -> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see article 841001 in the Microsoft Knowledge Base (. +> Only the System Access Control List (SACL) for SAM_SERVER can be modified. Volume High on domain controllers. For information about reducing the amount of events generated in this subcategory, see [article 841001 in the Microsoft Knowledge Base](https//go.microsoft.com/fwlink/?LinkId=121698). @@ -2836,7 +2836,7 @@ Volume: High on domain controllers. For more information about reducing the numb This policy setting allows you to audit events generated by changes to the authentication policy such as the following Creation of forest and domain trusts. Modification of forest and domain trusts. Removal of forest and domain trusts. Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy. Granting of any of the following user rights to a user or group Access This Computer From the Network. Allow Logon Locally. Allow Logon Through Terminal Services. Logon as a Batch Job. Logon a Service. Namespace collision. For example, when a new trust has the same name as an existing namespace name. If you configure this policy setting, an audit event is generated when an attempt to change the authentication policy is made. Success audits record successful attempts and Failure audits record unsuccessful attempts. -- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed +- If you do not configure this policy setting, no audit event is generated when the authentication policy is changed. > [!NOTE] > The security audit event is logged when the group policy is applied. It does not occur at the time when the settings are modified. @@ -3147,7 +3147,7 @@ Volume: Low. -This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list +This policy setting allows you to audit changes in the security audit policy settings such as the following Settings permissions and audit settings on the Audit Policy object. Changes to the system audit policy. Registration of security event sources. De-registration of security event sources. Changes to the per-user audit settings. Changes to the value of CrashOnAuditFail. Changes to the system access control list on a file system or registry object. Changes to the Special Groups list. > [!NOTE] > System access control list (SACL) change auditing is done when a SACL for an object changes and the policy change category is enabled. Discretionary access control list (DACL) and ownership changes are audited when object access auditing is enabled and the object's SACL is configured for auditing of DACL/Owner change. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 4c5e5997cb..8f7766c3a5 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -1484,7 +1484,7 @@ Supported versions: Microsoft Edge on Windows 10, version 1809 Default setting: Disabled or not configured Related policies: - Allows development of Windows Store apps and installing them from an integrated development environment (IDE) -- Allow all trusted apps to install +- Allow all trusted apps to install @@ -3248,7 +3248,7 @@ Related Documents: - [Find a package family name (PFN) for per-app VPN](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn) - [How to manage volume purchased apps from the Microsoft Store for Business with Microsoft Intune](/mem/intune/apps/windows-store-for-business) -- [Assign apps to groups with Microsoft Intune](/mem/intune/apps-deploy) +- [Assign apps to groups with Microsoft Intune](/mem/intune/apps/apps-deploy) - [Manage apps from the Microsoft Store for Business and Education with Configuration Manager](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows) diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md index f955123b29..b6865f7b07 100644 --- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md +++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md @@ -58,7 +58,7 @@ This ensures that: - The current Policy Manager policies are refreshed from what MDM has set - Any values set by scripts/user outside of GP that conflict with MDM are removed -The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP: +The [Policy DDF](configuration-service-provider-ddf.md) contains the following tags to identify the policies with equivalent GP: - \ - \ diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index eb25db2dad..298d67d708 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/09/2023 +ms.date: 02/10/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1164,7 +1164,7 @@ This setting applies to scheduled scans, but it has no effect on scans initiated -This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see the Windows Defender Antivirus documentation site +This policy setting determines how aggressive Windows Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer. If this setting is on, Windows Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency. For more information about specific values that are supported, see [Specify the cloud protection level](/microsoft-365/security/defender-endpoint/specify-cloud-protection-level-microsoft-defender-antivirus). > [!NOTE] > This feature requires the Join Microsoft MAPS setting enabled in order to function. @@ -1232,7 +1232,7 @@ This policy setting determines how aggressive Windows Defender Antivirus will be -This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds +This feature allows Windows Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an additional 50 seconds. For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds. > [!NOTE] > This feature depends on three other MAPS settings the must all be enabled- Configure the 'Block at First Sight' feature; Join Microsoft MAPS; Send file samples when further analysis is required. @@ -1980,7 +1980,7 @@ Allows an administrator to specify a list of directory paths to ignore during a -Allows an administrator to specify a list of files opened by processes to ignore during a scan +Allows an administrator to specify a list of files opened by processes to ignore during a scan. > [!IMPORTANT] > The process itself is not excluded from the scan, but can be by using the Defender/ExcludedPaths policy to exclude its path. Each file type must be separated by a |. For example, C\Example. exe|C\Example1.exe. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 459b035faf..075a1bd389 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -19,7 +19,7 @@ ms.topic: reference > [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> To find data formats (and other policy-related details), see [Policy DDF file](./configuration-service-provider-ddf.md). diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 040028b422..e9921d6795 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 01/18/2023 +ms.date: 02/03/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,9 @@ ms.topic: reference # Policy CSP - Update +> [!IMPORTANT] +> This CSP contains preview policies that are under development and only applicable for [Windows Insider Preview builds](/windows-insider/). These policies are subject to change and may have dependencies on other features or services in preview. + @@ -23,6 +26,7 @@ ms.topic: reference Update CSP policies are listed below based on the group policy area: - [Windows Insider Preview](#windows-insider-preview) + - [AllowTemporaryEnterpriseFeatureControl](#allowtemporaryenterprisefeaturecontrol) - [ConfigureDeadlineNoAutoRebootForFeatureUpdates](#configuredeadlinenoautorebootforfeatureupdates) - [ConfigureDeadlineNoAutoRebootForQualityUpdates](#configuredeadlinenoautorebootforqualityupdates) - [Manage updates offered from Windows Update](#manage-updates-offered-from-windows-update) @@ -103,6 +107,75 @@ Update CSP policies are listed below based on the group policy area: ## Windows Insider Preview + +### AllowTemporaryEnterpriseFeatureControl + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| :heavy_check_mark: Device
    :x: User | :x: Home
    :heavy_check_mark: Pro
    :heavy_check_mark: Enterprise
    :heavy_check_mark: Education
    :heavy_check_mark: Windows SE | :heavy_check_mark: Windows Insider Preview | + + + +```Device +./Device/Vendor/MSFT/Policy/Config/Update/AllowTemporaryEnterpriseFeatureControl +``` + + + + +Features introduced via servicing (outside of the annual feature update) are off by default for devices that have their Windows updates managed*. + +- If this policy is configured to "Enabled", then all features available in the latest monthly quality update installed will be on. + +- If this policy is set to "Not Configured" or "Disabled" then features that are shipped via a monthly quality update (servicing) will remain off until the feature update that includes these features is installed. + +*Windows update managed devices are those that have their Windows updates managed via policy; whether via the cloud using Windows Update for Business or on-premises with Windows Server Update Services (WSUS). + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | int | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Not allowed. | +| 1 | Allowed. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowTemporaryEnterpriseFeatureControl | +| Friendly Name | Enable features introduced via servicing that are off by default | +| Location | Computer Configuration | +| Path | Windows Components > Windows Update > Manage end user experience | +| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate | +| Registry Value Name | AllowTemporaryEnterpriseFeatureControl | +| ADMX File Name | WindowsUpdate.admx | + + + + + + + + ### ConfigureDeadlineNoAutoRebootForFeatureUpdates @@ -2589,7 +2662,7 @@ If you select "Apply only during active hours" in conjunction with Option 1 or 2 -Enables the IT admin to schedule the day of the update installation. The data type is a integer. +Enables the IT admin to schedule the day of the update installation. The data type is an integer. @@ -2660,7 +2733,7 @@ Enables the IT admin to schedule the day of the update installation. The data ty -Enables the IT admin to schedule the update installation on the every week. Value type is integer. +Enables the IT admin to schedule the update installation every week. Value type is integer. @@ -2985,7 +3058,7 @@ Enables the IT admin to schedule the update installation on the third week of th - the IT admin to schedule the time of the update installation. The data type is a integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. + the IT admin to schedule the time of the update installation. The data type is an integer. Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. The default value is 3. @@ -3044,7 +3117,7 @@ Enables the IT admin to schedule the update installation on the third week of th -This setting allows to remove access to "Pause updates" feature. +This setting allows removing access to "Pause updates" feature. Once enabled user access to pause updates is removed. diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md deleted file mode 100644 index 07c6ded973..0000000000 --- a/windows/client-management/mdm/policy-ddf-file.md +++ /dev/null @@ -1,32 +0,0 @@ ---- -title: Policy DDF file -description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider. -ms.reviewer: -manager: aaroncz -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.localizationpriority: medium -ms.date: 10/28/2020 ---- - -# Policy DDF file - -This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. - -You can view various Policy DDF files by clicking the following links: - -- [View the Policy DDF file for Windows 10, version 20H2](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_20H2.xml) -- [View the Policy DDF file for Windows 10, version 2004](https://download.microsoft.com/download/4/0/f/40f9ec45-3bea-442c-8afd-21edc1e057d8/PolicyDDF_all_2004.xml) -- [View the Policy DDF file for Windows 10, version 1903](https://download.microsoft.com/download/0/C/D/0CD61812-8B9C-4846-AC4A-1545BFD201EE/PolicyDDF_all_1903.xml) -- [View the Policy DDF file for Windows 10, version 1809](https://download.microsoft.com/download/7/3/5/735B8537-82F4-4CD1-B059-93984F9FAAC5/Policy_DDF_all_1809.xml) -- [View the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1803 release C](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all_1809C_release.xml) -- [View the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) -- [View the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) -- [View the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) - -You can download DDF files for various CSPs from [CSP DDF files download](configuration-service-provider-ddf.md). diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 919e4cac79..d35962adb6 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -34,7 +34,7 @@ items: href: policy-configuration-service-provider.md items: - name: Policy CSP DDF file - href: policy-ddf-file.md + href: configuration-service-provider-ddf.md - name: Policy CSP support scenarios items: - name: ADMX policies in Policy CSP diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 6b3389617f..b6cc17127d 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 10/02/2018 -ms.reviewer: +ms.reviewer: manager: aaroncz --- @@ -31,7 +31,7 @@ The UEFI Configuration Service Provider (CSP) interfaces to UEFI's Device Firmwa > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). > [!NOTE] -> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_plus/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. +> The production UEFI CSP is present in 1809, but it depends upon the [Device Firmware Configuration Interface (DFCI) and UEFI firmware](https://microsoft.github.io/mu/dyn/mu_feature_dfci/DfciPkg/Docs/Dfci_Feature/) to comply with this interface. The following shows the UEFI CSP in tree format. ``` diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 315f3afa7f..90a28bb7e6 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "itpro-configure", diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 6c21a68819..e84cabe14e 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -55,7 +55,7 @@ items: - name: Frequently Asked Questions href: mcc-isp-faq.yml - - name: Enhancing VM performance + - name: Enhancing cache performance href: mcc-isp-vm-performance.md - name: Support and troubleshooting href: mcc-isp-support.md diff --git a/windows/deployment/do/images/mcc-isp-create-resource-fields.png b/windows/deployment/do/images/mcc-isp-create-resource-fields.png new file mode 100644 index 0000000000..f80f8e490a Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-fields.png differ diff --git a/windows/deployment/do/images/mcc-isp-create-resource-validated.png b/windows/deployment/do/images/mcc-isp-create-resource-validated.png new file mode 100644 index 0000000000..cfa2901768 Binary files /dev/null and b/windows/deployment/do/images/mcc-isp-create-resource-validated.png differ diff --git a/windows/deployment/do/mcc-enterprise-appendix.md b/windows/deployment/do/mcc-enterprise-appendix.md index 11915236a8..d9eab5ddf8 100644 --- a/windows/deployment/do/mcc-enterprise-appendix.md +++ b/windows/deployment/do/mcc-enterprise-appendix.md @@ -12,7 +12,7 @@ ms.technology: itpro-updates # Appendix -## Steps to obtain an Azure Subscription ID +## Steps to obtain an Azure subscription ID [!INCLUDE [Get Azure subscription](includes/get-azure-subscription.md)] @@ -23,12 +23,20 @@ If you're not able to sign up for a Microsoft Azure subscription with the **Acco - [Can't sign up for a Microsoft Azure subscription](/troubleshoot/azure/general/cannot-sign-up-subscription). - [Troubleshoot issues when you sign up for a new account in the Azure portal](/azure/cost-management-billing/manage/troubleshoot-azure-sign-up). -## Installing on VMWare +## Hardware specifications -We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMWare. To do so, there are a couple of additional configurations to be made: +Most customers choose to install their cache node on a Windows Server with a nested Hyper-V VM. If this isn't supported in your network, some customers have also opted to install their cache node using VMware. At this time, a Linux-only solution isn't available and Azure VMs don't support the standalone Microsoft Connected Cache. + +### Installing on VMware + +We've seen that Microsoft Connected Cache for Enterprise and Education can be successfully installed on VMware. To do so, there are a couple of additional configurations to be made: 1. Ensure that you're using ESX. In the VM settings, turn on the option **Expose hardware assisted virtualization to the guest OS**. -1. Using the HyperV Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. +1. Using the Hyper-V Manager, create an external switch. For the external switch to have internet connection, ensure **"Allow promiscuous mode"**, **"Allow forged transmits"**, and **"Allow MAC changes"** are all switched to **Yes**. + +### Installing on Hyper-V + +To learn more about how to configure Intel and AMD processors to support nested virtualization, see [Run Hyper-V in a Virtual Machine with Nested Virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization). ## Diagnostics Script @@ -65,17 +73,17 @@ communication operations. The runtime performs several functions: For more information on Azure IoT Edge, see the [Azure IoT Edge documentation](/azure/iot-edge/about-iot-edge). -## Routing local Windows Clients to an MCC +## Routing local Windows clients to an MCC ### Get the IP address of your MCC using ifconfig There are multiple methods that can be used to apply a policy to PCs that should participate in downloading from the MCC. -#### Registry Key +#### Registry key You can either set your MCC IP address or FQDN using: -1. Registry Key (version 1709 and later): +1. Registry key (version 1709 and later): `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization`
    "DOCacheHost"=" " @@ -86,7 +94,7 @@ You can either set your MCC IP address or FQDN using: reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization" /v DOCacheHost /t REG_SZ /d "10.137.187.38" /f ``` -1. MDM Path (version 1809 and later): +1. MDM path (version 1809 and later): `.Vendor/MSFT/Policy/Config/DeliveryOptimization/DOCacheHost` @@ -95,7 +103,7 @@ You can either set your MCC IP address or FQDN using: :::image type="content" source="./images/ent-mcc-group-policy-hostname.png" alt-text="Screenshot of the Group Policy editor showing the Cache Server Hostname Group Policy setting." lightbox="./images/ent-mcc-group-policy-hostname.png"::: -**Verify Content using the DO Client** +## Verify content using the DO client To verify that the Delivery Optimization client can download content using MCC, you can use the following steps: diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md index c39e4b5a84..52b3515a34 100644 --- a/windows/deployment/do/mcc-enterprise-deploy.md +++ b/windows/deployment/do/mcc-enterprise-deploy.md @@ -31,18 +31,18 @@ To deploy MCC to your server: For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com) -### Provide Microsoft with the Azure Subscription ID +### Provide Microsoft with the Azure subscription ID As part of the MCC preview onboarding process an Azure subscription ID must be provided to Microsoft. > [!IMPORTANT] > [Take this survey](https://aka.ms/MSConnectedCacheSignup) and provide your Azure subscription ID and contact information to be added to the allowlist for this preview. You will not be able to proceed if you skip this step. -For information about creating or locating your subscription ID, see [Steps to obtain an Azure Subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). +For information about creating or locating your subscription ID, see [Steps to obtain an Azure subscription ID](mcc-enterprise-appendix.md#steps-to-obtain-an-azure-subscription-id). ### Create the MCC resource in Azure -The MCC Azure management portal is used to create and manage MCC nodes. An Azure Subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. +The MCC Azure management portal is used to create and manage MCC nodes. An Azure subscription ID is used to grant access to the preview and to create the MCC resource in Azure and Cache nodes. Once you take the survey above and the MCC team adds your subscription ID to the allowlist, you'll be given a link to the Azure portal where you can create the resource described below. @@ -221,7 +221,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p 1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub. - 1. You'll be shown a list of existing IoT Hubs in your Azure Subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** + 1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"** :::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png"::: :::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png"::: @@ -235,7 +235,7 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p ## Verify proper functioning MCC server -#### Verify Client Side +#### Verify client side Connect to the EFLOW VM and check if MCC is properly running: @@ -305,21 +305,16 @@ sudo iotedge list :::image type="content" source="./images/ent-mcc-iotedge-list.png" alt-text="Screenshot of the iotedge list command." lightbox="./images/ent-mcc-iotedge-list.png"::: -If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager using the command: +If edgeAgent and edgeHub containers are listed, but not "MCC", you may view the status of the IoT Edge security manager by using the command: ```bash sudo journalctl -u iotedge -f ``` -For example, this command will provide the current status of the starting, stopping of a container, or the container pull and start. +This command will provide the current status of the starting, stopping of a container, or the container pull and start. :::image type="content" source="./images/ent-mcc-journalctl.png" alt-text="Screenshot of the output from journalctl -u iotedge -f." lightbox="./images/ent-mcc-journalctl.png"::: -Use this command to check the IoT Edge Journal - -```bash -sudo journalctl -u iotedge -f -``` > [!NOTE] > You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation. diff --git a/windows/deployment/do/mcc-enterprise-prerequisites.md b/windows/deployment/do/mcc-enterprise-prerequisites.md index fac81254f0..2e5773468b 100644 --- a/windows/deployment/do/mcc-enterprise-prerequisites.md +++ b/windows/deployment/do/mcc-enterprise-prerequisites.md @@ -24,13 +24,12 @@ ms.technology: itpro-updates Your Azure subscription ID is first used to provision MCC services, and enable access to the preview. The MCC server requirement for an Azure subscription will cost you nothing. If you don't have an Azure subscription already, you can create an Azure [Pay-As-You-Go](https://azure.microsoft.com/offers/ms-azr-0003p/) account, which requires a credit card for verification purposes. For more information, see the [Azure Free Account FAQ](https://azure.microsoft.com/free/free-account-faq/). The resources used for the preview and in the future when this product is ready for production will be free to you, like other caching solutions. - -2. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. +1. **Hardware to host MCC**: The recommended configuration will serve approximately 35000 managed devices, downloading a 2 GB payload in 24-hour timeframe at a sustained rate of 6.5 Gbps. > [!NOTE] > Azure VMs are not currently supported. If you'd like to install your cache node on VMWare, see the [Appendix](mcc-enterprise-appendix.md) for a few additional configurations. - **EFLOW Requires Hyper-V support** + **EFLOW requires Hyper-V support** - On Windows client, enable the Hyper-V feature - On Windows Server, install the Hyper-V role and create a default network switch @@ -44,6 +43,7 @@ ms.technology: itpro-updates VM networking: - An external virtual switch to support outbound and inbound network communication (created during the installation process) +1. **Content endpoints**: If you're using a proxy or firewall, certain endpoints must be allowed through in order for your MCC to cache and serve content. See [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md) for the list of required endpoints. ## Sizing recommendations diff --git a/windows/deployment/do/mcc-isp-create-provision-deploy.md b/windows/deployment/do/mcc-isp-create-provision-deploy.md index aa7180c750..885330563a 100644 --- a/windows/deployment/do/mcc-isp-create-provision-deploy.md +++ b/windows/deployment/do/mcc-isp-create-provision-deploy.md @@ -10,7 +10,7 @@ ms.date: 12/31/2017 ms.technology: itpro-updates --- -# Create, Configure, provision, and deploy the cache node in Azure portal +# Create, configure, provision, and deploy the cache node in Azure portal **Applies to** @@ -58,8 +58,8 @@ BGP (Border Gateway Protocol) routing is another method offered for client routi 1. Enter the max allowable egress that your hardware can support. -1. Under **Cache storage**, specify the location of the cache drives to store content along with the size of the cache drives in Gigabytes. -**Note:** Up to nine cache drives are supported. +1. Under **Cache storage**, specify the location of the cache drive folder to store content along with the size of the cache drives in Gigabytes. +**Note:** This is a **required** field. Up to nine cache drive folders are supported. 1. Under **Routing information**, select the routing method you would like to use. For more information, see [Client routing](#client-routing). @@ -110,10 +110,10 @@ There are five IDs that the device provisioning script takes as input in order t 1. Copy and paste the script command line shown in the Azure portal. -1. Run the script in your server terminal for your cache node by . The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). +1. Run the script in your server terminal for your cache node. The script may take a few minutes to run. If there were no errors, you have set up your cache node successfully. To verify the server is set up correctly, follow the [verification steps](mcc-isp-verify-cache-node.md). > [!NOTE] - > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to reprovision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. + > The same script can be used to provision multiple cache nodes, but the command line is unique per cache node. Additionally, if you need to re-provision your server or provision a new server or VM for the cache node, you must copy the command line from the Azure portal again as the "registrationkey" value is unique for each successful execution of the provisioning script. ### General configuration fields @@ -127,12 +127,12 @@ There are five IDs that the device provisioning script takes as input in order t ### Storage fields > [!IMPORTANT] -> All cache drives must have read/write permissions set or the cache node will not function. -> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrive` +> All cache drives must have full read/write permissions set or the cache node will not function. +> For example, in a terminal you can run: `sudo chmod 777 /path/to/cachedrivefolder` | Field Name | Expected Value| Description | |---|---|---| -| **Cache drive** | File path string | Up to 9 drives can be configured for each cache node to configure cache storage. Enter the file path to each drive. For example: `/dev/folder/` Each cache drive should have read/write permissions configured. | +| **Cache drive folder** | File path string | Up to 9 drive folders accessible by the cache node can be configured for each cache node to configure cache storage. Enter the location of the folder in Ubuntu where the external physical drive is mounted. For example: `/dev/sda3/` Each cache drive should have read/write permissions configured. Ensure your disks are mounted and visit [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk) for more information.| | **Cache drive size in gigabytes** | Integer in GB | Set the size of each drive configured for the cache node. | ### Client routing fields diff --git a/windows/deployment/do/mcc-isp-faq.yml b/windows/deployment/do/mcc-isp-faq.yml index 74688ffae3..07d8f242c0 100644 --- a/windows/deployment/do/mcc-isp-faq.yml +++ b/windows/deployment/do/mcc-isp-faq.yml @@ -69,8 +69,6 @@ sections: answer: We have already successfully onboarded ISPs in many countries around the world and have received positive feedback! However, you can always start off with a portion of your CIDR blocks to test out the performance of MCC before expanding to more customers. - question: How does Microsoft Connected Cache populate its content? answer: Microsoft Connected Cache is a cold cache warmed by client requests. The client requests content and that is what fills up the cache. There's no off-peak cache fill necessary. Microsoft Connected Cache will reach out to different CDN providers just like a client device would. The traffic flow from Microsoft Connected Cache will vary depending on how you currently transit to each of these CDN providers. The content can come from third party CDNs or from AFD. - - question: What do I do if I need more support and have more questions even after reading this FAQ page? - answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). - question: What CDNs will Microsoft Connected Cache pull content from? answer: | Microsoft relies on a dynamic mix of 1st and 3rd party CDN providers to ensure enough capacity, redundancy, and performance for the delivery of Microsoft served content. Though we don't provide lists of the CDN vendors we utilize as they can change without notice, our endpoints are public knowledge. If someone were to perform a series of DNS lookups against our endpoints (tlu.dl.delivery.mp.microsoft.com for example), they would be able to determine which CDN or CDNs were in rotation at a given point in time: @@ -82,3 +80,11 @@ sections: $ whois 13.107.4.50|grep "Organization:" Organization: Microsoft Corporation (MSFT) + - question: I'm a network service provider and have downstream transit customers. If one of my downstream transit customers onboards to Microsoft Connected Cache, how will it affect my traffic? + answer: If a downstream customer deploys a Microsoft Connected Cache node, the cache controller will prefer the downstream ASN when handling that ASN's traffic. + - question: I signed up for Microsoft Connected Cache, but I'm not receiving the verification email. What should I do? + answer: First, check that the email under the NOC role is correct in your PeeringDB page. If the email associated with NOC role is correct, search for an email from the sender "microsoft-noreply@microsoft.com" with the email subject - "Here's your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender "microsoft-noreply@microsoft.com". + - question: I have an active MCC, but I'm noticing I hit the message limit for my IoT Hub each day. Does this affect my MCC performance and should I be concerned? + answer: Even when the quota of 8k messages is hit, the MCC functionality won't be affected. Your client devices will continue to download content as normal. You'll also not be charged above the 8k message limit, so you don't need to worry at all about getting a paid plan. MCC will always be a free service. So if functionality isn't impacted, what is? Instead, messages about the configuration or edge deployment would be impacted. This means that if there was a request to update your MCC and the daily quota was reached, your MCC might not update. In that case, you would just need to wait for the next day to update. This is only a limitation of the private preview and isn't an issue during public preview. + - question: What do I do if I need more support and have more questions even after reading this FAQ page? + answer: For further support for Microsoft Connected Cache, visit [Troubleshooting Issues for Microsoft Connected Cache for ISP (public preview)](mcc-isp-support.md). diff --git a/windows/deployment/do/mcc-isp-signup.md b/windows/deployment/do/mcc-isp-signup.md index e53324e321..f407f4d6cd 100644 --- a/windows/deployment/do/mcc-isp-signup.md +++ b/windows/deployment/do/mcc-isp-signup.md @@ -24,21 +24,37 @@ This article details the process of signing up for Microsoft Connected Cache for ## Prerequisites Before you begin sign up, ensure you have the following components: -- **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You will need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, [visit this page](https://azure.microsoft.com/offers/ms-azr-0003p/). -- **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. -- **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. -- **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed Ubuntu 20.04 LTS. + +1. **Azure Pay-As-You-Go subscription**: Microsoft Connected Cache is a completely free-of-charge service hosted in Azure. You'll need to have a Pay-As-You-Go subscription in order to onboard to our service. To create a subscription, go to the [Pay-As-You-Go subscription page](https://azure.microsoft.com/offers/ms-azr-0003p/). + +1. **Access to Azure portal**: Ensure you have the credentials needed to access your organization's Azure portal. + +1. **Peering DB**: Ensure your organization's [Peering DB](https://www.peeringdb.com/) page is up-to-date and active. Check that the NOC email listed is accurate, and that you have access to this email. + +1. **Server**: Ensure the server you wish to install Microsoft Connected Cache on is ready, and that the server is installed on Ubuntu 20.04 LTS. +1. **Configure cache drive**: Make sure that you have a data drive configured with full permissions on your server. You'll need to specify the location for this cache drive during the cache node configuration process. The minimum size for the data drive is 100 GB. For instructions to mount a disk on a Linux VM, see [Attach a data disk to a Linux VM](/azure/virtual-machines/linux/attach-disk-portal#find-the-disk). ## Resource creation and sign up process 1. Navigate to the [Azure portal](https://www.portal.azure.com). Select **Create a Resource**. Then, search for **Microsoft Connected Cache**. - :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace."::: + :::image type="content" source="./images/mcc-isp-search.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource in Azure marketplace." lightbox="./images/mcc-isp-search.png"::: -1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, enter a name for your cache resource. +1. Select **Create** to create a **Microsoft Connected Cache**. When prompted, choose the subscription, resource group, and location of your cache node. Also, enter a name for your cache node. + + :::image type="content" source="./images/mcc-isp-create-resource-fields.png" alt-text="Screenshot of the Azure portal that shows the Microsoft Connected Cache resource creation step." lightbox="./images/mcc-isp-create-resource-fields.png"::: > [!IMPORTANT] > After your resource has been created, we need some information to verify your network operator status and approve you to host Microsoft Connected Cache nodes. Please ensure that your [Peering DB](https://www.peeringdb.com/) organization information is up to date as this information will be used for verification. The NOC contact email will be used to send verification information. + + After a few moments, you'll see a "Validation successful" message, indicating you can move onto the next step and select **Create**. + + :::image type="content" source="./images/mcc-isp-create-resource-validated.png" alt-text="Screenshot of the Azure portal that shows a green validation successful message for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-create-resource-validated.png"::: + +1. The creation of the cache node may take a few minutes. After a successful creation, you'll see a **Deployment complete** page as below. Select **Go to resource**. + + :::image type="content" source="./images/mcc-isp-deployment-complete.png" alt-text="Screenshot of the Azure portal that shows a successful deployment for the creation of the Microsoft Connected Cache resource." lightbox="./images/mcc-isp-deployment-complete.png"::: + 1. Navigate to **Settings** > **Sign up**. Enter your organization ASN. Indicate whether you're a transit provider. If so, additionally, include any ASN(s) for downstream network operators that you may transit traffic for. :::image type="content" source="./images/mcc-isp-sign-up.png" alt-text="Screenshot of the sign up page in the Microsoft Connected Cache resource page in Azure portal." lightbox="./images/mcc-isp-sign-up.png"::: @@ -48,7 +64,10 @@ Before you begin sign up, ensure you have the following components: > [!NOTE] > Verification codes expire in 24 hours. You will need to generate a new code if it expires. - :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + :::image type="content" source="images/mcc-isp-operator-verification.png" alt-text="Screenshot of the sign up verification page on Azure portal for Microsoft Connected Cache." lightbox="./images/mcc-isp-operator-verification.png"::: + + > [!NOTE] + > **Can't find the verification email in your inbox?** Check that the email under the NOC role is correct in [Peering DB](https://www.peeringdb.com/). Search for an email from the sender **microsoft-noreply@microsoft.com** with the email subject: "Here’s your Microsoft Connected Cache verification code" in your Spam folders. Still can't find it? Ensure that your email admin rules allow emails from the sender **microsoft-noreply@microsoft.com**. 1. Once verified, follow the instructions in [Create, provision, and deploy cache node](mcc-isp-create-provision-deploy.md) to create your cache node. @@ -57,37 +76,3 @@ Before you begin sign up, ensure you have the following components: During the sign-up process, Microsoft will provide you with a traffic estimation based on your ASN(s). We make estimations based on our predictions on historical data about Microsoft content download volume. We'll use these estimations to recommend hardware or VM configurations. You can review these recommendations within the Azure portal. We make these estimations based on the Microsoft content types that Microsoft Connected Cache serves. To learn more about the types of content that are supported, see [Delivery Optimization and Microsoft Connected Cache content type endpoints](delivery-optimization-endpoints.md). --> - -### Cache performance - -To make sure you're maximizing the performance of your cache node, review the following information: - -#### OS requirements - -The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. - -#### NIC requirements - -- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. -- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. - -#### Drive performance - -The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. - -RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. - -### Hardware configuration example - -There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: - -**Dell PowerEdge R330** - -- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core -- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s -- 4 - Transcend SSD230s 1 TB SATA Drives -- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) - -### Virtual machines - -Microsoft Connected Cache supports both physical and virtual machines as cache servers. If you're using a virtual machine as your server, refer to [VM performance](mcc-isp-vm-performance.md) for tips on how to improve your VM performance. \ No newline at end of file diff --git a/windows/deployment/do/mcc-isp-verify-cache-node.md b/windows/deployment/do/mcc-isp-verify-cache-node.md index da0003c24f..1e31838cd4 100644 --- a/windows/deployment/do/mcc-isp-verify-cache-node.md +++ b/windows/deployment/do/mcc-isp-verify-cache-node.md @@ -16,6 +16,28 @@ ms.technology: itpro-updates This article details how to verify that your cache node(s) are functioning properly and serving traffic. This article also details how to monitor your cache nodes. +## Verify cache node installation is complete + +Sign in to the Connected Cache server or use SSH. Run the following command from a terminal to see the running modules (containers): + +```bash +sudo iotedge list +``` + +:::image type="content" source="./images/mcc-isp-running-containers.png" alt-text="Screenshot of the terminal output of iotedge list command, showing the running containers." lightbox="./images/mcc-isp-running-containers.png"::: + +If it lists the **edgeAgent** and **edgeHub** containers, but doesn't include **MCC**, view the status of the IoT Edge security manager using the command: + +```bash +sudo iotedge system logs -- -f +``` + +For example, this command provides the current status of the starting and stopping of a container, or the container pull and start: + +:::image type="content" source="./images/mcc-isp-edge-journalctl.png" alt-text="Terminal output of journalctl command for iotedge." lightbox="./images/mcc-isp-edge-journalctl.png"::: + +You may need to wait up to 30 minutes for the cache node software to complete downloading and begin caching. + ## Verify functionality on Azure portal Sign into the [Azure portal](https://www.portal.azure.com) and navigate to the **Overview** page. Select the **Monitoring** tab to verify the functionality of your server(s) by validating the number of healthy nodes shown. If you see any **Unhealthy nodes**, select the **Diagnose and Solve** link to troubleshoot and resolve the issue. @@ -48,6 +70,14 @@ http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsup If the test fails, for more information, see the [FAQ](mcc-isp-faq.yml) article. +## Verify BGP routing configuration + +To verify your BGP routes are correctly configured for a cache node, navigate to **Settings > Cache nodes**. Select the cache node you wish to verify BGP routes for. + +Verify that under **Routing Information**, the state of **BGP routes received** is True. Verify the IP space is correct. Lastly, select **Download JSON** next to **Download BGP Routes** to view the BGP routes that your cache node is currently advertising. + +If **BGP routes received** is False, your **IP Space** is 0, or you're experiencing any BGP routing errors, ensure your **ASN** and **IP address** is entered correctly. + ## Monitor cache node health and performance Within Azure portal, there are many charts and graphs that are available to monitor cache node health and performance. diff --git a/windows/deployment/do/mcc-isp-vm-performance.md b/windows/deployment/do/mcc-isp-vm-performance.md index 9316c9a5af..5bd6e00e83 100644 --- a/windows/deployment/do/mcc-isp-vm-performance.md +++ b/windows/deployment/do/mcc-isp-vm-performance.md @@ -1,5 +1,5 @@ --- -title: Enhancing VM performance +title: Enhancing cache performance manager: aaroncz description: How to enhance performance on a virtual machine used with Microsoft Connected Cache for ISPs ms.prod: windows-client @@ -10,11 +10,41 @@ ms.technology: itpro-updates ms.date: 12/31/2017 --- -# Enhancing virtual machine performance +# Enhancing cache performance + +To make sure you're maximizing the performance of your cache node, review the following information: + +#### OS requirements + +The Microsoft Connected Cache module is optimized for Ubuntu 20.04 LTS. Install Ubuntu 20.04 LTS on a physical server or VM of your choice. + +#### NIC requirements + +- Multiple NICs on a single MCC instance are supported using a *link aggregated* configuration. +- 10 Gbps NIC is the minimum speed recommended, but any NIC is supported. + +#### Drive performance + +The maximum number of disks supported is 9. When configuring your drives, we recommend SSD drives as cache read speed of SSD is superior to HDD. In addition, using multiple disks is recommended to improve cache performance. + +RAID disk configurations are discouraged as cache performance will be impacted. If using RAID disk configurations, ensure striping. + +### Hardware configuration example + +There are many hardware configurations that suit Microsoft Connected Cache. As an example, a customer has deployed the following hardware configuration and is able to achieve a peak egress of about 35 Gbps: + +**Dell PowerEdge R330** + +- 2 x Intel(R) Xeon(R) CPU E5-2630 v3 @ 2.40 GHz, total 32 core +- 48 GB, Micron Technology 18ASF1G72PDZ-2G1A1, Speed: 2133 MT/s +- 4 - Transcend SSD230s 1 TB SATA Drives +- Intel Corporation Ethernet 10G 2P X520 Adapter (Link Aggregated) + +## Enhancing virtual machine performance In virtual environments, the cache server egress peaks at around 1.1 Gbps. If you want to maximize the egress in virtual environments, it's critical to change two settings. -## Virtual machine settings +### Virtual machine settings Change the following settings to maximize the egress in virtual environments: @@ -27,7 +57,3 @@ Change the following settings to maximize the egress in virtual environments: Microsoft has found these settings to double egress when using a Microsoft Hyper-V deployment. 2. Enable high performance in the BIOS instead of energy savings. Microsoft has found this setting to also nearly double egress in a Microsoft Hyper-V deployment. - -## Next steps - -[Support and troubleshooting](mcc-isp-support.md) diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index bc0d6223b6..dcfac57aad 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -1,13 +1,12 @@ --- title: Microsoft Connected Cache overview -manager: dougeby +manager: aaroncz description: This article provides information about Microsoft Connected Cache (MCC), a software-only caching solution. ms.prod: windows-client author: carmenf ms.localizationpriority: medium ms.author: carmenf ms.topic: article -ms.custom: seo-marvel-apr2020 ms.technology: itpro-updates ms.date: 12/31/2017 --- @@ -20,13 +19,21 @@ ms.date: 12/31/2017 - Windows 11 > [!IMPORTANT] -> Microsoft Connected Cache is currently a preview feature. To view our early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). +> Microsoft Connected Cache is currently a preview feature. To view our Microsoft Connected Cache for ISPs early preview documentation, visit [Microsoft Connected Cache for Internet Service Providers (ISPs)](mcc-isp.md). For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). -Microsoft Connected Cache (MCC) preview is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. +Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: 1) Microsoft Connected Cache for Internet Service Providers and 2) Microsoft Connected Cache for Enterprise and Education (early preview). Both products are created and managed in the cloud portal. + +## Microsoft Connected Cache for ISPs (preview) +Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. + +## Microsoft Connected Cache for Enterprise and Education (early preview) +Microsoft Connected Cache (MCC) for Enterprise and Education (early preview) is a software-only caching solution that delivers Microsoft content within Enterprise and Education networks. MCC can be deployed to as many Windows servers, bare-metal servers, or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. MCC is a hybrid (mix of on-premises and cloud resources) SaaS solution built as an Azure IoT Edge module and Docker compatible Linux container deployed to your Windows devices. The Delivery Optimization team chose IoT Edge for Linux on Windows (EFLOW) as a secure, reliable container management infrastructure. EFLOW is a Linux virtual machine, based on Microsoft's first party CBL-Mariner operating system. It’s built with the IoT Edge runtime and validated as a tier 1 supported environment for IoT Edge workloads. MCC will be a Linux IoT Edge module running on the Windows Host OS. -Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: +## IoT Edge + +Both of Microsoft Connected Cache product offerings use Azure IoT Edge. Even though your MCC scenario isn't related to IoT, Azure IoT Edge is used as a more generic Linux container deployment and management infrastructure. The Azure IoT Edge runtime sits on your designated MCC device and performs management and communication operations. The runtime performs several functions important to manage MCC on your edge device: 1. Installs and updates MCC on your edge device. 1. Maintains Azure IoT Edge security standards on your edge device. @@ -51,8 +58,6 @@ The following diagram displays and overview of how MCC functions: :::image type="content" source="./images/waas-mcc-diag-overview.png" alt-text="Diagram displaying the components of MCC." lightbox="./images/waas-mcc-diag-overview.png"::: - - ## Next steps - [Microsoft Connected Cache for Enterprise and Education](mcc-enterprise-prerequisites.md) diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index ad1f0f4c84..1387984499 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "GitHub", diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md index 800f387276..79ff9e1b78 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request.md @@ -17,8 +17,6 @@ msreviewer: hathind > [!IMPORTANT] > Make sure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md). The Windows Autopatch Service Engineering Team will contact these individuals for assistance with remediating issues. -You can submit support tickets to Microsoft using the Windows Autopatch admin center. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. - ## Submit a new support request Support requests are triaged and responded to as they're received. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 3c5bb1f346..92e00968e2 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -91,7 +91,7 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: - Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or -- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). +- An issue occurred which prevented devices from getting a deployment ring assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). There are two automated deployment ring remediation functions: diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md index b58aa2938f..4d8d128f89 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-feature-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows feature updates description: This article explains how Windows feature updates are managed in Autopatch -ms.date: 02/02/2023 +ms.date: 02/07/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -73,6 +73,9 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym ## Pausing and resuming a release +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). + > [!IMPORTANT] > Pausing or resuming an update can take up to eight hours to be applied to devices. Windows Autopatch uses Microsoft Intune as its management solution and that's the average frequency devices take to communicate back to Microsoft Intune with new instructions to pause, resume or rollback updates.

    For more information, see [how long does it take for devices to get a policy, profile, or app after they are assigned from Microsoft Intune](/mem/intune/configuration/device-profile-troubleshoot#how-long-does-it-take-for-devices-to-get-a-policy-profile-or-app-after-they-are-assigned).

    @@ -88,18 +91,18 @@ Windows Autopatch provides a permanent pause of a Windows feature update deploym 8. If you're resuming an update, you can select one or more deployment rings. 9. Select **Okay**. -If you've paused an update, the specified release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. +If you've paused an update, the specified release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite IT admin's pause. You must select **Resume** to resume the update. > [!NOTE] -> The **Service Paused** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. +> The **Service Pause** status only applies to [Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release). Windows Autopatch doesn't pause Windows feature updates on your behalf. ## Rollback -Windows Autopatch doesn’t support the rollback of Windows Feature updates. +Windows Autopatch doesn’t support the rollback of Windows feature updates. > [!CAUTION] -> It’s not recommended to use [Microsoft Intune’s capabilities](/mem/intune/protect/windows-10-update-rings#manage-your-windows-update-rings) to pause and rollback a Windows feature update. However, if you choose to pause, resume and/or roll back from Intune, Windows Autopatch is **not** responsible for any problems that arise from rolling back the Windows feature update. +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](../operate/windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). ## Contact support -If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. +If you’re experiencing issues related to Windows feature updates, you can [submit a support request](../operate/windows-autopatch-support-request.md). diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md index c8ab6062c6..c2ad146ec6 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-windows-quality-update-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 12/15/2022 +ms.date: 02/07/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -9,7 +9,7 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- # Windows quality updates @@ -89,7 +89,7 @@ By default, the service expedites quality updates as needed. For those organizat **To turn off service-driven expedited quality updates:** 1. Go to **[Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431)** > **Devices**. -2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited Quality Updates** setting. +2. Under **Windows Autopatch** > **Release management**, go to the **Release settings** tab and turn off the **Expedited quality updates** setting. > [!NOTE] > Windows Autopatch doesn't allow customers to request expedited releases. @@ -108,6 +108,11 @@ Windows Autopatch schedules and deploys required Out of Band (OOB) updates relea ### Pausing and resuming a release +> [!CAUTION] +> It's only recommended to use Windows Autopatch's end-user experience to pause and resume [Windows quality](windows-autopatch-windows-quality-update-overview.md#pausing-and-resuming-a-release) and [Windows feature updates](#pausing-and-resuming-a-release). If you need assistance with pausing and resuming updates, please [submit a support request](../operate/windows-autopatch-support-request.md). + +The service-level pause of updates is driven by the various software update deployment-related signals Windows Autopatch receives from Windows Update for Business, and several other product groups within Microsoft. + If Windows Autopatch detects a [significant issue with a release](../operate/windows-autopatch-windows-quality-update-signals.md), we may decide to pause that release. > [!IMPORTANT] @@ -125,12 +130,13 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win 8. If you're resuming an update, you can select one or more deployment rings. 9. Select **Okay**. -There are two statuses associated with paused quality updates, **Service Paused** and **Customer Paused**. +The three following statuses are associated with paused quality updates: | Status | Description | | ----- | ------ | -| Service Paused | If the Windows Autopatch service has paused an update, the release will have the **Service Paused** status. You must [submit a support request](windows-autopatch-support-request.md) to resume the update. | -| Customer Paused | If you've paused an update, the release will have the **Customer Paused** status. The Windows Autopatch service can't overwrite a customer-initiated pause. You must select **Resume** to resume the update. | +| Service Pause | If the Windows Autopatch service has paused an update, the release will have the **Service Pause** status. You must [submit a support request](../operate/windows-autopatch-support-request.md) to resume the update. | +| Customer Pause | If you've paused an update, the release will have the **Customer Pause** status. The Windows Autopatch service can't overwrite an IT admin's pause. You must select **Resume** to resume the update. | +| Customer & Service Pause | If you and Windows Autopatch have both paused an update, the release will have the **Customer & Service Pause** status. If you resume the update, and the **Service Pause** status still remains, you must [submit a support request](../operate/windows-autopatch-support-request.md) for Windows Autopatch to resume the update deployment on your behalf. | ## Remediating Ineligible and/or Not up to Date devices diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md index c36be7a98b..44447d5697 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enrollment-support-request.md @@ -14,7 +14,7 @@ msreviewer: hathind # Submit a tenant enrollment support request -If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. Email is the recommended approach to interact with the Windows Autopatch Service Engineering Team. +If you need more assistance with tenant enrollment, you can submit support requests to the Windows Autopatch Service Engineering Team in the Windows Autopatch enrollment tool. > [!NOTE] > After you've successfully enrolled your tenant, this feature will no longer be accessible. You must [submit a support request through the Tenant administration menu](../operate/windows-autopatch-support-request.md). diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index f1b885b970..c1b07ce9d8 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier1" + ], "audience": "ITPro", "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md index 768b1e3c3f..2edd15d942 100644 --- a/windows/security/cryptography-certificate-mgmt.md +++ b/windows/security/cryptography-certificate-mgmt.md @@ -1,7 +1,6 @@ --- title: Cryptography and Certificate Management description: Get an overview of cryptography and certificate management in Windows -search.appverid: MET150 author: paolomatarazzo ms.author: paoloma manager: aaroncz @@ -9,9 +8,6 @@ ms.topic: conceptual ms.date: 09/07/2021 ms.prod: windows-client ms.technology: itpro-security -ms.localizationpriority: medium -ms.collection: -ms.custom: ms.reviewer: skhadeer, raverma --- diff --git a/windows/security/docfx.json b/windows/security/docfx.json index bb2804df03..ceef5206ad 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.localizationpriority": "medium", diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md index 0a6ef16c6e..ce118ce681 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md @@ -27,14 +27,12 @@ Windows Hello for Business cloud Kerberos trust uses *Azure AD Kerberos*, which ## Azure AD Kerberos and cloud Kerberos trust authentication -*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust.\ -For *Azure AD joined devices* to have single sign-on (SSO) to on-premises resources protected by Active Directory, they must trust and validate the DC certificates. For this to happen, a certificate revocation list (CRL) must be published to an endpoint accessible by the Azure AD joined devices. +*Key trust* and *certificate trust* use certificate authentication-based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires a PKI for DC certificates, and requires end-user certificates for certificate trust. -*Cloud Kerberos trust* uses *Azure AD Kerberos*, which doesn't require any of the above PKI to request TGTs. +Cloud Kerberos trust uses Azure AD Kerberos, which doesn't require a PKI to request TGTs.\ +With Azure AD Kerberos, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. -With *Azure AD Kerberos*, Azure AD can issue TGTs for one or more AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business, and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by the on-premises Domain Controllers. - -When *Azure AD Kerberos* is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: +When Azure AD Kerberos is enabled in an Active Directory domain, an *Azure AD Kerberos server object* is created in the domain. This object: - Appears as a Read Only Domain Controller (RODC) object, but isn't associated with any physical servers - Is only used by Azure AD to generate TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object @@ -45,7 +43,7 @@ For more information about how Azure AD Kerberos enables access to on-premises r For more information about how Azure AD Kerberos works with Windows Hello for Business cloud Kerberos trust, see [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-kerberos-trust). > [!IMPORTANT] -> When implementing the *hybrid cloud Kerberos trust* deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. +> When implementing the cloud Kerberos trust deployment model, you *must* ensure that you have an adequate number of *read-write domain controllers* in each Active Directory site where users will be authenticating with Windows Hello for Business. For more information, see [Capacity planning for Active Directory][SERV-1]. ## Prerequisites @@ -73,9 +71,9 @@ The following scenarios aren't supported using Windows Hello for Business cloud ## Deployment steps -Deploying *Windows Hello for Business cloud Kerberos trust* consists of two steps: +Deploying Windows Hello for Business cloud Kerberos trust consists of two steps: -1. Set up *Azure AD Kerberos* +1. Set up Azure AD Kerberos 1. Configure a Windows Hello for Business policy and deploy it to the devices ### Deploy Azure AD Kerberos @@ -86,7 +84,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl ### Configure Windows Hello for Business policy -After setting up the *Azure AD Kerberos object*, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). +After setting up the Azure AD Kerberos object, Windows Hello for business cloud Kerberos trust must be enabled on your Windows devices. Follow the instructions below to configure your devices using either Microsoft Intune or group policy (GPO). #### [:::image type="icon" source="../../images/icons/intune.svg"::: **Intune**](#tab/intune) @@ -116,7 +114,7 @@ Windows Hello for Business settings are also available in the settings catalog. ### Configure cloud Kerberos trust policy -To configure the *cloud Kerberos trust* policy, follow the steps below: +To configure the cloud Kerberos trust policy, follow the steps below: 1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). 1. Select **Devices** > **Windows** > **Configuration Profiles** > **Create profile**. @@ -156,7 +154,7 @@ You can also create a Group Policy Central Store and copy them their respective #### Create the Windows Hello for Business group policy object -You can configure Windows devices to enable *Windows Hello for Business cloud Kerberos trust* using a Group Policy Object (GPO). +You can configure Windows Hello for Business cloud Kerberos trust using a Group Policy Object (GPO). 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer objects in Active Directory 1. Edit the Group Policy object from Step 1 @@ -168,7 +166,7 @@ You can configure Windows devices to enable *Windows Hello for Business cloud Ke --- > [!IMPORTANT] -> If the *Use certificate for on-premises authentication* policy is enabled, *certificate trust* will take precedence over *cloud Kerberos trust*. Ensure that the machines that you want to enable *cloud Kerberos trust* have this policy *not configured* or *disabled*. +> If the *Use certificate for on-premises authentication* policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust have this policy *not configured* or *disabled*. ## Provision Windows Hello for Business @@ -196,11 +194,11 @@ This is the process that occurs after a user signs in, to enroll in Windows Hell ### Sign-in -Once a user has set up a PIN with *cloud Kerberos trust*, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. +Once a user has set up a PIN with cloud Kerberos trust, it can be used **immediately** for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached sign-in can be used for subsequent unlocks without line of sight or network connectivity. ## Migrate from key trust deployment model to cloud Kerberos trust -If you deployed Windows Hello for Business using the *key trust model*, and want to migrate to the *cloud Kerberos trust model*, follow these steps: +If you deployed Windows Hello for Business using the key trust model, and want to migrate to the cloud Kerberos trust model, follow these steps: 1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos) 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) @@ -209,14 +207,14 @@ If you deployed Windows Hello for Business using the *key trust model*, and want > [!NOTE] > For hybrid Azure AD joined devices, users must perform the first sign in with new credentials while having line of sight to a DC. > -> Without line of sight to a DC, even when the client is configured to use *cloud Kerberos trust*, the system will fall back to *key trust* if *cloud Kerberos trust* login fails. +> Without line of sight to a DC, even when the client is configured to use cloud Kerberos trust, the system will fall back to key trust if cloud Kerberos trust login fails. ## Migrate from certificate trust deployment model to cloud Kerberos trust > [!IMPORTANT] -> There is no *direct* migration path from *certificate trust* deployment to *cloud Kerberos trust* deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. +> There is no *direct* migration path from a certificate trust deployment to a cloud Kerberos trust deployment. The Windows Hello container must be deleted before you can migrate to cloud Kerberos trust. -If you deployed Windows Hello for Business using the *certificate trust model*, and want to use the *cloud Kerberos trust model*, you must redeploy Windows Hello for Business by following these steps: +If you deployed Windows Hello for Business using the certificate trust model, and want to use the cloud Kerberos trust model, you must redeploy Windows Hello for Business by following these steps: 1. Disable the certificate trust policy 1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy) diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index e094da893b..eb1922b3a8 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -128,7 +128,7 @@ You must enable Restricted Admin or Windows Defender Remote Credential Guard on - Add a new DWORD value named **DisableRestrictedAdmin**. - - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard. + - To turn on Restricted Admin and Windows Defender Remote Credential Guard, set the value of this registry setting to 0. 3. Close Registry Editor. @@ -189,4 +189,4 @@ mstsc.exe /remoteGuard - No credentials are sent to the target device, but the target device still acquires Kerberos Service Tickets on its own. -- The server and client must authenticate using Kerberos. \ No newline at end of file +- The server and client must authenticate using Kerberos. diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b86eb930d8..93dc998a8a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -36,7 +36,7 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well. > [!NOTE] -> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users: +> To manage Bitlocker via CSP (Configuration Service Provider), except to enable and disable it, regardless of your management platform, one of the following licenses must be assigned to your users: > - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5). > - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5). diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 34b14b5105..ef5a4ad22d 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -35,13 +35,13 @@ Some TPM PCRs are used as checksums of log events. The log events are extended i To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after. -It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match. +It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using the SHA-256 PCR bank, even with the same system configuration. Otherwise, the PCR values will not match. ## What happens when PCR banks are switched? When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs. -As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. +As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR bank to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled. ## What can I do to switch PCRs when BitLocker is already active? @@ -49,7 +49,7 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y ## How can I identify which PCR bank is being used? -A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. +A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may choose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
    - DWORD: TPMActivePCRBanks
    diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md index 2bbf3a6015..1d3ea2ed65 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md @@ -78,7 +78,7 @@ One of the risks that the UAC feature tries to mitigate is that of malicious pro ### Countermeasure -Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. +Configure the **User Account Control: Behavior of the elevation prompt for standard users** to **Automatically deny elevation requests**. This setting requires the user to sign in with an administrative account to run programs that require elevation of privilege. As a security best practice, standard users shouldn't have knowledge of administrative passwords. However, if your users have both standard and administrator-level accounts, we recommend setting **Prompt for credentials on the secure desktop** so that the users don't choose to always sign in with their administrator accounts, and they shift their behavior to use the standard user account. ### Potential impact diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index f9355db522..cacb1ef857 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -68,6 +68,8 @@ href: wdac-wizard-create-supplemental-policy.md - name: Editing a WDAC policy with the Wizard href: wdac-wizard-editing-policy.md + - name: Creating WDAC Policy Rules from WDAC Events + href: wdac-wizard-parsing-event-logs.md - name: Merging multiple WDAC policies with the Wizard href: wdac-wizard-merging-policies.md - name: WDAC deployment guide diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png new file mode 100644 index 0000000000..841b3104fe Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png new file mode 100644 index 0000000000..75fd7c7798 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-files.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png new file mode 100644 index 0000000000..50dcbf7715 Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png new file mode 100644 index 0000000000..f0e2056bcc Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-export.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png new file mode 100644 index 0000000000..ef32ad6c9a Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png new file mode 100644 index 0000000000..09e857e82e Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-mde-ah-parsing.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png new file mode 100644 index 0000000000..5b3de97aff Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png new file mode 100644 index 0000000000..ee1af12b3d Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-log-system.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png new file mode 100644 index 0000000000..5ae44b24cd Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation-expanded.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png new file mode 100644 index 0000000000..4fd2a0813f Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-wizard-event-rule-creation.png differ diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index fc266be640..e0b383d280 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -15,7 +15,7 @@ author: jgeurten ms.reviewer: jsuther ms.author: vinpa manager: aaroncz -ms.date: 11/01/2022 +ms.date: 02/08/2023 ms.technology: itpro-security ms.topic: article --- @@ -72,7 +72,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- ```xml - 10.0.25210.0 + 10.0.25290.0 {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234} @@ -201,6 +201,56 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -229,11 +279,16 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + @@ -413,18 +468,44 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -557,6 +638,12 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + @@ -713,16 +800,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - @@ -745,37 +822,54 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + + + + + + + - - - - + - + + + + + + + - @@ -785,7 +879,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + @@ -797,70 +891,47 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - + + + - + - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + @@ -868,14 +939,232 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -885,17 +1174,139 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - + + + + - - + + + + - - + + + - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -927,36 +1338,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -972,24 +1353,6 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - @@ -998,394 +1361,184 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1393,38 +1546,69 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + + + + - + + + + + + + - + + + + + + + + + + + + - + + + + + + @@ -1433,58 +1617,26 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + - + @@ -1495,675 +1647,776 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + @@ -2179,7 +2432,7 @@ Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device- - 10.0.25210.0 + 10.0.25290.0 diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b4c9fd2969..73c7ef9d1e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro author: jgeurten -ms.reviewer: isbrahm +ms.reviewer: jsuther1974 ms.author: vinpa manager: aaroncz ms.topic: conceptual diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md new file mode 100644 index 0000000000..c89baad871 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-parsing-event-logs.md @@ -0,0 +1,141 @@ +--- +title: Windows Defender Application Control Wizard WDAC Event Parsing +description: Creating WDAC policy rules from the WDAC event logs and the MDE Advanced Hunting WDAC events. +keywords: WDAC event parsing, allow listing, block listing, security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: windows-client +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: jgeurten +ms.reviewer: jsuther1974 +ms.author: vinpa +manager: aaroncz +ms.topic: conceptual +ms.date: 02/01/2023 +ms.technology: itpro-security +--- + +# Creating WDAC Policy Rules from WDAC Events in the Wizard + +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and above + +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). + +As of [version 2.2.0.0](https://webapp-wdac-wizard.azurewebsites.net/archives.html), the WDAC Wizard supports creating WDAC policy rules from the following event log types: + +1. [WDAC event log events on the system](#wdac-event-viewer-log-parsing) +2. [Exported WDAC events (EVTX files) from any system](#wdac-event-log-file-parsing) +3. [Exported WDAC events from MDE Advanced Hunting](#mde-advanced-hunting-wdac-event-parsing) + + +## WDAC Event Viewer Log Parsing + +To create rules from the WDAC event logs on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Event Logs** button under the **Parse Event Logs from the System Event Viewer to Policy** header. + + The Wizard will parse the relevant audit and block events from the CodeIntegrity (WDAC) Operational and AppLocker MSI and Script logs. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse WDAC and AppLocker event log system events](images/wdac-wizard-event-log-system.png)](images/wdac-wizard-event-log-system-expanded.png) + +4. Select the Next button to view the audit and block events and create rules. +5. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## WDAC Event Log File Parsing + +To create rules from the WDAC `.EVTX` event logs files on the system: + +1. Select **Policy Editor** from the WDAC Wizard main page. +2. Select **Convert Event Log to a WDAC Policy**. +3. Select the **Parse Log File(s)** button under the **Parse Event Log evtx Files to Policy** header. +4. Select the WDAC CodeIntegrity Event log EVTX file(s) from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse evtx file WDAC events](images/wdac-wizard-event-log-files.png)](images/wdac-wizard-event-log-files-expanded.png) + +5. Select the Next button to view the audit and block events and create rules. +6. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## MDE Advanced Hunting WDAC Event Parsing + +To create rules from the WDAC events in [MDE Advanced Hunting](querying-application-control-events-centrally-using-advanced-hunting.md): + +1. Navigate to the Advanced Hunting section within the MDE console and query the WDAC events. **The Wizard requires the following fields** in the Advanced Hunting csv file export: + + ```KQL + | project Timestamp, DeviceId, DeviceName, ActionType, FileName, FolderPath, SHA1, SHA256, IssuerName, IssuerTBSHash, PublisherName, PublisherTBSHash, AuthenticodeHash, PolicyId, PolicyName + ``` + + The following Advanced Hunting query is recommended: + + ```KQL + DeviceEvents + // Take only WDAC events + | where ActionType startswith 'AppControlCodeIntegrity' + // SigningInfo Fields + | extend IssuerName = parsejson(AdditionalFields).IssuerName + | extend IssuerTBSHash = parsejson(AdditionalFields).IssuerTBSHash + | extend PublisherName = parsejson(AdditionalFields).PublisherName + | extend PublisherTBSHash = parsejson(AdditionalFields).PublisherTBSHash + // Audit/Block Fields + | extend AuthenticodeHash = parsejson(AdditionalFields).AuthenticodeHash + | extend PolicyId = parsejson(AdditionalFields).PolicyID + | extend PolicyName = parsejson(AdditionalFields).PolicyName + // Keep only required fields for the WDAC Wizard + | project Timestamp,DeviceId,DeviceName,ActionType,FileName,FolderPath,SHA1,SHA256,IssuerName,IssuerTBSHash,PublisherName,PublisherTBSHash,AuthenticodeHash,PolicyId,PolicyName + ``` + +2. Export the WDAC event results by selecting the **Export** button in the results view. + + > [!div class="mx-imgBorder"] + > [![Export the MDE Advanced Hunting results to CSV](images/wdac-wizard-event-log-mde-ah-export.png)](images/wdac-wizard-event-log-mde-ah-export-expanded.png) + +3. Select **Policy Editor** from the WDAC Wizard main page. +4. Select **Convert Event Log to a WDAC Policy**. +5. Select the **Parse Log File(s)** button under the "Parse MDE Advanced Hunting Events to Policy" header. +6. Select the WDAC MDE Advanced Hunting export CSV files from the disk to parse. + + The Wizard will parse the relevant audit and block events from the selected Advanced Hunting log files. You'll see a notification when the Wizard successfully finishes reading the events. + + > [!div class="mx-imgBorder"] + > [![Parse the Advanced Hunting CSV WDAC event files](images/wdac-wizard-event-log-mde-ah-parsing.png)](images/wdac-wizard-event-log-mde-ah-parsing-expanded.png) + +7. Select the Next button to view the audit and block events and create rules. +8. [Generate rules from the events](#creating-policy-rules-from-the-events). + +## Creating Policy Rules from the Events + +On the "Configure Event Log Rules" page, the unique WDAC log events will be shown in the table. Event Ids, filenames, product names, the policy name that audited or blocked the file, and the file publisher are all shown in the table. The table can be sorted alphabetically by clicking on any of the headers. + +To create a rule and add it to the WDAC policy: + +1. Select an audit or block event in the table by selecting the row of interest. +2. Select a rule type from the dropdown. The Wizard supports creating Publisher, Path, File Attribute, Packaged App and Hash rules. +3. Select the attributes and fields that should be added to the policy rules using the checkboxes provided for the rule type. +4. Select the **Add Allow Rule** button to add the configured rule to the policy generated by the Wizard. The "Added to policy" label will be added to the selected row confirming that the rule will be generated. + + > [!div class="mx-imgBorder"] + > [![Adding a publisher rule to the WDAC policy](images/wdac-wizard-event-rule-creation.png)](images/wdac-wizard-event-rule-creation-expanded.png) + +5. Select the **Next** button to output the policy. Once generated, the event log policy should be merged with your base or supplemental policies. + +> [!WARNING] +> It is not recommended to deploy the event log policy on its own, as it likely lacks rules to authorize Windows and may cause blue screens. + + +## Up next + +- [Merging Windows Defender Application Control (WDAC) policies using the Wizard](wdac-wizard-merging-policies.md) diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index 5d976ff196..ecb03506c1 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -2,13 +2,13 @@ title: Common Criteria Certifications description: This topic details how Microsoft supports the Common Criteria certification program. ms.prod: windows-client -ms.author: paoloma -author: paolomatarazzo +ms.author: sushmanemali +author: s4sush manager: aaroncz ms.topic: article ms.localizationpriority: medium ms.date: 11/4/2022 -ms.reviewer: +ms.reviewer: paoloma ms.technology: itpro-security --- @@ -24,12 +24,16 @@ The product releases below are currently certified against the cited *Protection - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. +### Windows 11, Windows 10 (version 20H2, 21H1, 21H2), Windows Server, Windows Server 2022, Azure Stack HCIv2 version 21H2, Azure Stack Hub and Edge -
    +Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients -
    - Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) +- [Security Target](https://download.microsoft.com/download/c/5/9/c59832ff-414b-4f15-8273-d0c349a0b154/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Security%20Target%20(21H2%20et%20al).pdf) +- [Administrative Guide](https://download.microsoft.com/download/9/1/7/9178ce6a-8117-42e7-be0d-186fc4a89ca6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Administrative%20Guide%20(21H2%20et%20al).pdf) +- [Assurance Activity Report](https://download.microsoft.com/download/4/1/6/416151fe-63e7-48c0-a485-1d87148c71fe/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Assurance%20Activity%20Report%20(21H2%20et%20al).pdf) +- [Validation Report](https://download.microsoft.com/download/e/3/7/e374af1a-3c5d-42ee-8e19-df47d2c0e3d6/Microsoft%20Windows,%20Windows%20Server,%20Azure%20Stack%20Validation%20Report%20(21H2%20et%20al).pdf) + +### Windows 10, version 2004, Windows Server, version 2004, Windows Server Core Datacenter (Azure Fabric Controller), Windows Server Core Datacenter (Azure Stack) Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients @@ -38,10 +42,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Validation Report](https://download.microsoft.com/download/1/c/b/1cb65e32-f87d-41dd-bc29-88dc943fad9d/Windows%2010%202004%20GP%20OS%20Validation%20Reports.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/2/4/324562b6-0917-4708-8f9d-8d2d12859839/Windows%2010%202004%20GP%20OS%20Assurance%20Activity%20Report-Public%20.pdf) -
    - -
    - Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V +### Windows 10, version 1909, Windows Server, version 1909, Windows Server 2019, version 1809 Hyper-V Certified against the Protection Profile for Virtualization, including the Extended Package for Server Virtualization. @@ -50,10 +51,7 @@ Certified against the Protection Profile for Virtualization, including the Exten - [Validation Report](https://download.microsoft.com/download/4/7/6/476ca991-631d-4943-aa89-b0cd4f448d14/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Validation%20Report.pdf) - [Assurance Activities Report](https://download.microsoft.com/download/3/b/4/3b4818d8-62a1-4b8d-8cb4-9b3256564355/Windows%20+%20Windows%20Server%201909,%20Windows%20Server%202019%20Hyper-V%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1909, Windows Server, version 1909 +### Windows 10, version 1909, Windows Server, version 1909 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients and the Module for Virtual Private Network Clients. @@ -62,10 +60,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/f/3/9f350b73-1790-4dcb-97f7-a0e65a00b55f/Windows%2010%201909%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/0/0/d/00d26b48-a051-4e9a-8036-850d825f8ef9/Windows%2010%201909%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1903, Windows Server, version 1903 +### Windows 10, version 1903, Windows Server, version 1903 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -74,10 +69,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/2/1/9/219909ad-2f2a-44cc-8fcb-126f28c74d36/Windows%2010%201903%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/2/a/1/2a103b68-cd12-4476-8945-873746b5f432/Windows%2010%201903%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1809, Windows Server, version 1809 +### Windows 10, version 1809, Windows Server, version 1809 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -86,10 +78,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/9/4/0/940ac551-7757-486d-9da1-7aa0300ebac0/Windows%2010%20version%201809%20GP%20OS%20Certification%20Report%20-%202018-61-INF-2795.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/6/6/a66bfcf1-f6ef-4991-ab06-5b1c01f91983/Windows%2010%201809%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1803, Windows Server, version 1803 +### Windows 10, version 1803, Windows Server, version 1803 Certified against the Protection Profile for General Purpose Operating Systems, including the Extended Package for Wireless Local Area Network Clients. @@ -98,10 +87,7 @@ Certified against the Protection Profile for General Purpose Operating Systems, - [Certification Report](https://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/3/d/b3da41b6-6ebc-4a26-a581-2d2ad8d8d1ac/Windows%2010%201803%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1709, Windows Server, version 1709 +### Windows 10, version 1709, Windows Server, version 1709 Certified against the Protection Profile for General Purpose Operating Systems. @@ -110,10 +96,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/e/7/6/e7644e3c-1e59-4754-b071-aec491c71849/Windows%2010%201709%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1703, Windows Server, version 1703 +### Windows 10, version 1703, Windows Server, version 1703 Certified against the Protection Profile for General Purpose Operating Systems. @@ -122,10 +105,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/e/9/ae9a2235-e1cd-4869-964d-c8260f604367/Windows%2010%201703%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for General Purpose Operating Systems. @@ -134,10 +114,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Validation Report](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/5/f/a5f08a43-75f9-4433-bd77-aeb14276e587/Windows%2010%201607%20GP%20OS%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1507, Windows Server 2012 R2 +### Windows 10, version 1507, Windows Server 2012 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -146,8 +123,6 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/7/e/5/7e5575c9-10f9-4f3d-9871-bd7cf7422e3b/Windows%2010%20(1507),%20Windows%20Server%202012%20R2%20GPOS%20Assurance%20Activity%20Report.pdf) -
    - ## Archived certified products The product releases below were certified against the cited *Protection Profile* and are now archived, as listed on the [Common Criteria Portal](https://www.commoncriteriaportal.org/products/index.cfm?archived=1): @@ -156,12 +131,7 @@ The product releases below were certified against the cited *Protection Profile* - The *Administrative Guide* provides guidance on configuring the product to match the evaluated configuration - The *Certification Report or Validation Report* documents the results of the evaluation by the validation team, with the *Assurance Activity Report* providing details on the evaluator's actions -For more details, expand each product section. - - -
    -
    - Windows Server 2016, Windows Server 2012 R2, Windows 10 +### Windows Server 2016, Windows Server 2012 R2, Windows 10 Certified against the Protection Profile for Server Virtualization. @@ -170,10 +140,7 @@ Certified against the Protection Profile for Server Virtualization. - [Validation Report](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/3/f/c/3fcc76e1-d471-4b44-9a19-29e69b6ab899/Windows%2010%20Hyper-V,%20Server%202016,%20Server%202012%20R2%20Virtualization%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1607, Windows 10 Mobile, version 1607 +### Windows 10, version 1607, Windows 10 Mobile, version 1607 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -182,10 +149,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/9/939b44a8-5755-4d4c-b020-d5e8b89690ab/Windows%2010%20and%20Windows%2010%20Mobile%201607%20MDF%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1607, Windows Server 2016 +### Windows 10, version 1607, Windows Server 2016 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -194,10 +158,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/b/8/d/b8ddc36a-408a-4d64-a31c-d41c9c1e9d9e/Windows%2010%201607,%20Windows%20Server%202016%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1511 +### Windows 10, version 1511 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -206,10 +167,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/1/f/1/1f12ed80-6d73-4a16-806f-d5116814bd7c/Windows%2010%20November%202015%20Update%20(1511)%20MDF%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1507, Windows 10 Mobile, version 1507 +### Windows 10, version 1507, Windows 10 Mobile, version 1507 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -218,10 +176,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10694-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/a/1/3/a1365491-0a53-42cd-bd73-ca4067c43d86/Windows%2010,%20Windows%2010%20Mobile%20(1507)%20MDF%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 10, version 1507 +### Windows 10, version 1507 Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -230,10 +185,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Validation Report](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - [Assurance Activity Report](https://download.microsoft.com/download/9/3/6/93630ffb-5c06-4fea-af36-164da3e359c9/Windows%2010%20IPsec%20VPN%20Client%20Assurance%20Activity%20Report.pdf) -
    - -
    - Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 +### Windows 8.1 with Surface 3, Windows Phone 8.1 with Lumia 635 and Lumia 830 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -241,10 +193,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10635-vr.pdf) -
    - -
    - Surface Pro 3, Windows 8.1 +### Surface Pro 3, Windows 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -252,10 +201,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10632-vr.pdf) -
    - -
    - Windows 8.1, Windows Phone 8.1 +### Windows 8.1, Windows Phone 8.1 Certified against the Protection Profile for Mobile Device Fundamentals. @@ -263,10 +209,7 @@ Certified against the Protection Profile for Mobile Device Fundamentals. - [Administrative Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10592-vr.pdf) -
    - -
    - Windows 8, Windows Server 2012 +### Windows 8, Windows Server 2012 Certified against the Protection Profile for General Purpose Operating Systems. @@ -274,10 +217,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10520-vr.pdf) -
    - -
    - Windows 8, Windows RT +### Windows 8, Windows RT Certified against the Protection Profile for General Purpose Operating Systems. @@ -285,10 +225,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10620-vr.pdf) -
    - -
    - Windows 8, Windows Server 2012 BitLocker +### Windows 8, Windows Server 2012 BitLocker Certified against the Protection Profile for Full Disk Encryption. @@ -296,10 +233,7 @@ Certified against the Protection Profile for Full Disk Encryption. - [Administrative Guide](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) -
    - -
    - Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client +### Windows 8, Windows RT, Windows Server 2012 IPsec VPN Client Certified against the Protection Profile for IPsec Virtual Private Network (VPN) Clients. @@ -307,10 +241,7 @@ Certified against the Protection Profile for IPsec Virtual Private Network (VPN) - [Administrative Guide](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) -
    - -
    - Windows 7, Windows Server 2008 R2 +### Windows 7, Windows Server 2008 R2 Certified against the Protection Profile for General Purpose Operating Systems. @@ -318,46 +249,31 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) -
    - -
    - Microsoft Windows Server 2008 R2 Hyper-V Role +### Microsoft Windows Server 2008 R2 Hyper-V Role - [Security Target](https://www.microsoft.com/download/en/details.aspx?id=29305) - [Administrative Guide](https://www.microsoft.com/download/en/details.aspx?id=29308) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) -
    - -
    - Windows Vista, Windows Server 2008 at EAL4+ +### Windows Vista, Windows Server 2008 at EAL4+ - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) -
    - -
    - Windows Vista, Windows Server 2008 at EAL1 +### Windows Vista, Windows Server 2008 at EAL1 - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - [Certification Report](https://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) -
    - -
    - Microsoft Windows Server 2008 Hyper-V Role +### Microsoft Windows Server 2008 Hyper-V Role - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - [Administrative Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) - [Certification Report](http://www.commoncriteriaportal.org:80/files/epfiles/0570a_pdf.pdf) -
    - -
    - Windows Server 2003 Certificate Server +### Windows Server 2003 Certificate Server - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - [Administrator's Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) @@ -366,12 +282,7 @@ Certified against the Protection Profile for General Purpose Operating Systems. - [Evaluation Technical Report](https://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) -
    - -
    - Windows Rights Management Services +### Windows Rights Management Services - [Security Target](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) - [Validation Report](https://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) - -
    \ No newline at end of file diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index 19bd51f371..bd292f17c7 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,9 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "ms.collection": [ + "tier2" + ], "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article",