deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'w11' of https://github.com/MicrosoftDocs/windows-docs-pr into w11

Browse Source
This commit is contained in:
greg-lindsay 2021-08-20 12:40:06 -07:00
commit ac0c2424df
73 changed files with 1753 additions and 477 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bcs/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
"extendBreadcrumb": true,
"contributors_to_exclude": [

1
browsers/edge/docfx.json
View File

@ -27,6 +27,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",

1
browsers/internet-explorer/docfx.json
View File

@ -23,6 +23,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",

1
devices/hololens/docfx.json
View File

@ -30,6 +30,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",

1
devices/surface-hub/docfx.json
View File

@ -24,6 +24,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",

1
devices/surface/docfx.json
View File

@ -22,6 +22,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",

1
education/docfx.json
View File

@ -26,6 +26,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "windows-education",
"ms.topic": "article",

1
gdpr/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"author": "eross-msft",
"ms.author": "lizross",
"feedback_system": "GitHub",

1
mdop/docfx.json
View File

@ -22,6 +22,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",

1
smb/docfx.json
View File

@ -29,6 +29,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "None",

139
store-for-business/device-guard-signing-portal.md
View File

@ -17,6 +17,11 @@ ms.date: 07/21/2021
# Device Guard signing
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -37,13 +42,7 @@ ms.date: 07/21/2021
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
- Windows 10
- Windows 10 Mobile
Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@ -54,6 +53,132 @@ Device Guard is a feature set that consists of both hardware and software system
| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. |
| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. |
## Device Guard Signing Service (v2) PowerShell Commands
> [!NOTE]
> [.. common ..] are parameters common across all commands that are documented below the command definitions.
**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant.
- Usage:
```powershell
Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
- Usage:
```powershell
Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
- Usage:
```powershell
Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns XML objects returning the XML file.
- Command running time:
The average running time is under 10 seconds.
**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
- Usage:
```powershell
Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
- Parameters:
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin).
**OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first)
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
**TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:
```powershell
Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
- Parameters:
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin).
**OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten.
> [!NOTE]
> Create the folder first.
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
**TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Common parameters [.. common ..]**
In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
- Usage:
```powershell
... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
```
- Parameters:
**NoPrompt** - switch, optional - If present, indicates that the script is running in a headless
environment and that all UI should be suppressed. If UI must be displayed (e.g., for
authentication) when the switch is set, the operation will instead fail.
**Credential + AppId** - PSCredential - A login credential (username and password) and AppId.
## File and size limits
When you're uploading files for Device Guard signing, there are a few limits for files and file size:

1
store-for-business/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
"audience": "ITPro",

1
windows/access-protection/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"audience": "ITPro",

906
windows/application-management/apps-in-windows-10.md
View File

@ -1,5 +1,5 @@
---
title: Windows 10 - Apps
title: Learn about the different app types in Windows 10 | Microsoft Docs
ms.reviewer:
manager: dansimp
description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps.
@ -16,172 +16,788 @@ ms.topic: article
>Applies to: Windows 10
The following types of apps run on Windows 10:
- Windows apps - introduced in Windows 8, primarily installed from the Store app.
- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps.
- "Win32" apps - traditional Windows applications.
On your Windows 10 devices, you can run the following app types:
Digging into the Windows apps, there are two categories:
- Apps - All other apps, installed in C:\Program Files\WindowsApps. There are two classes of apps:
- Provisioned: Installed in user account the first time you sign in with a new user account.
- Installed: Installed as part of the OS.
- System apps - Apps that are installed in the C:\Windows\* directory. These apps are integral to the OS.
- **Windows apps**: These apps are included with the Windows OS, and are also installed from the Microsoft Store app. There are two categories:
The following tables list the system apps, installed Windows apps, and provisioned Windows apps in a standard Windows 10 Enterprise installation. (If you have a custom image, your specific apps might differ.) The tables list the app, the full name, show the app's status in Windows 10 version 1709, 1803, and 1809 and indicate whether an app can be uninstalled through the UI.
- **Apps**: All apps installed in `C:\Program Files\WindowsApps`. There are two classes of apps:
Some of the apps show up in multiple tables - that's because their status changed between versions. Make sure to check the version column for the version you are currently running.
- **Provisioned**: Installed in user account the first time you sign in with a new user account.
- **Installed**: Installed as part of the OS.
- **System apps**: Apps installed in the `C:\Windows\` directory. These apps are part of the Windows OS.
- **Universal Windows Platform (UWP) apps**: These apps run and can be installed on many Windows platforms, including tablets, Microsoft HoloLens, Xbox, and more. All UWP apps are Windows apps. But, not all Windows apps are UWP apps.
- **Win32 apps**: These apps are traditional Windows applications.
This article lists the provisioned Windows apps and system apps installed on a standard Windows 10 Enterprise device. If you use custom images, your specific apps might be different.
Some of the apps show up in multiple areas. That's because their status changed between versions. Make sure to check the version column for the version you're currently running.
## Provisioned Windows apps
You can list all provisioned Windows apps with this PowerShell command:
The first time a user signs into a Windows device, some apps are automatically provisioned. To get a list of all provisioned Windows apps, run the following Windows PowerShell command:
```Powershell
Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName
```
Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004.
The following information lists the provisioned apps on the supported Windows 10 OS versions:
<br/>
- [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | Package name: Microsoft.3DBuilder
- Supported versions:
| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? |
|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:|
| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes |
| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App |
| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | | No |
| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes |
| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | | No |
| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | |
| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | | No |
| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No |
| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.VP9VideoExtensions | | | x | x | x | x | No |
| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No |
| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No |
| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No |
| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No |
| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No |
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ✔️ | ✔️ | | | | | |
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
---
- [Bing Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ✔️ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
- [Desktop App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | Package name: Microsoft.DesktopAppInstaller
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| Use Settings App | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
- [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | Package name: Microsoft.Getstarted
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
- [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.HEIFImageExtension
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️|✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
---
- [Microsoft 3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftSolitaireCollection
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftStickyNotes
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | Package name: Microsoft.MixedReality.Portal
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | Package name: Microsoft.MSPaint
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | Package name: Microsoft.Office.OneNote
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ✔️ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | Package name: Microsoft.OneConnect
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
---
- Microsoft.Outlook.DesktopIntegrationServices
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| | ✔️ | ✔️| | ✔️| | |
---
- [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | Package name: Microsoft.People
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | Package name: Microsoft.Print3D
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| | ✔️| ✔️| ✔️|
---
- [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | Package name: Microsoft.SkypeApp
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | Package name: Microsoft.StorePurchaseApp
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- Microsoft.VP9VideoExtensions
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | Package name: Microsoft.Wallet
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | Package name: Microsoft.WebMediaExtensions
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.WebpImageExtension
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | Package name: Microsoft.WindowsAlarms
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCalculator
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | Package name: Microsoft.WindowsCamera
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | Package name: microsoft.windowscommunicationsapps
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | Package name: Microsoft.WindowsFeedbackHub
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | Package name: Microsoft.WindowsMaps
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | Package name: Microsoft.WindowsStore
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you can restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it.
- [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | Package name: Microsoft.XboxApp
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGameOverlay
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | Package name: Microsoft.XboxGamingOverlay
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | Package name: Microsoft.XboxIdentityProvider
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- Microsoft.XboxSpeechToTextOverlay
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
- [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | Package name: Microsoft.ZuneVideo
- Supported versions:
---
| Uninstall through UI? | 21H1 | 20H2 | 2004 | 1909| 1903| 1809 |
| --- | --- | --- | --- | --- | --- |--- |
| ❌ | ✔️ | ✔️| ✔️ | ✔️| ✔️| ✔️|
---
## System apps
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1709, 1803, and 1809.
You can list all system apps with this PowerShell command:
System apps are used by the operating system. To get a list of all the system apps, run the following Windows PowerShell command:
```Powershell
Get-AppxPackage -PackageTypeFilter Main | ? { $_.SignatureKind -eq "System" } | Sort Name | Format-Table Name, InstallLocation
```
<br/>
| Name | Package Name | 1709 | 1803 | 1809 |Uninstall through UI? |
|----------------------------------|---------------------------------------------|:-----:|:----:|:----:|-----------------------|
| File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | x | x | No |
| File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | x | x | No |
| App Resolver UX | E2A4F912-2574-4A75-9BB0-0D023378592B | | x | x | No |
| Add Suggested Folders To Library | F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE | | x | x | No |
| | InputApp | x | x | x | No |
| Microsoft.AAD.Broker.Plugin | Microsoft.AAD.Broker.Plugin | x | x | x | No |
| Microsoft.AccountsControl | Microsoft.AccountsControl | x | x | x | No |
| Microsoft.AsyncTextService | Microsoft.AsyncTextService | | x | x | No |
| Hello setup UI | Microsoft.BioEnrollment | x | x | x | No |
| | Microsoft.CredDialogHost | x | x | x | No |
| | Microsoft.ECApp | x | x | x | No |
| | Microsoft.LockApp | x | x | x | No |
| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x | No |
| | Microsoft.MicrosoftEdgeDevToolsClient | | x | x | No |
| | Microsoft.PPIProjection | x | x | x | No |
| | Microsoft.Win32WebViewHost | | x | x | No |
| | Microsoft.Windows.Apprep.ChxApp | x | x | x | No |
| | Microsoft.Windows.AssignedAccessLockApp | x | x | x | No |
| | Microsoft.Windows.CapturePicker | | x | x | No |
| | Microsoft.Windows.CloudExperienceHost | x | x | x | No |
| | Microsoft.Windows.ContentDeliveryManager | x | x | x | No |
| Cortana | Microsoft.Windows.Cortana | x | x | x | No |
| | Microsoft.Windows.Holographic.FirstRun | x | x | | No |
| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x | No |
| | Microsoft.Windows.OOBENetworkConnectionFlow | x | x | x | No |
| | Microsoft.Windows.ParentalControls | x | x | x | No |
| People Hub | Microsoft.Windows.PeopleExperienceHost | x | x | x | No |
| | Microsoft.Windows.PinningConfirmationDialog | x | x | x | No |
| | Microsoft.Windows.SecHealthUI | x | x | x | No |
| | Microsoft.Windows.SecondaryTileExperience | x | | | No |
| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x | No |
| Start | Microsoft.Windows.ShellExperienceHost | x | x | x | No |
| Windows Feedback | Microsoft.WindowsFeedback | * | | | No |
| | Microsoft.XboxGameCallableUI | x | x | x | No |
| | Windows.CBSPreview | | x | x | No |
| Contact Support* | Windows.ContactSupport | * | | | Via Settings App |
| Settings | Windows.immersivecontrolpanel | x | x | x | No |
| Print 3D | Windows.Print3D | | x | x | Yes |
| Print UI | Windows.PrintDialog | x | x | x | No |
The following information lists the system apps on some Windows 10 OS versions:
> [!NOTE]
> The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1709, 1803, and 1809.
<br/>
| Name | Full name | 1709 | 1803 | 1809 | Uninstall through UI? |
|-----------------------|------------------------------------------|:----:|:----:|:----:|:---------------------:|
| Remote Desktop | Microsoft.RemoteDesktop | x | | x | Yes |
| Code Writer | ActiproSoftwareLLC.562882FEEB491 | x | x | | Yes |
| Eclipse Manager | 46928bounde.EclipseManager | x | x | | Yes |
| Pandora | PandoraMediaInc.29680B314EFC2 | x | x | | Yes |
| Photoshop Express | AdobeSystemIncorporated. AdobePhotoshop | x | x | | Yes |
| Duolingo | D5EA27B7.Duolingo- LearnLanguagesforFree | x | x | | Yes |
| Network Speed Test | Microsoft.NetworkSpeedTest | x | x | x | Yes |
| News | Microsoft.BingNews | x | x | x | Yes |
| Sway | Microsoft.Office.Sway | x | x | x | Yes |
| Microsoft.Advertising | Microsoft.Advertising.Xaml | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.2 | x | x | | Yes |
| | Microsoft.NET.Native.Framework.1.3 | x | x | | Yes |
| | Microsoft.NET.Native.Framework.1.6 | x | x | x | Yes |
| | Microsoft.NET.Native.Framework.1.7 | | x | x | Yes |
| | Microsoft.NET.Native.Framework.2.0 | x | x | | Yes |
| | Microsoft.NET.Native.Runtime.1.1 | x | x | | Yes |
| | Microsoft.NET.Native.Runtime.1.3 | x | | | Yes |
| | Microsoft.NET.Native.Runtime.1.4 | x | x | | Yes |
| | Microsoft.NET.Native.Runtime.1.6 | x | x | x | Yes |
| | Microsoft.NET.Native.Runtime.1.7 | x | x | x | Yes |
| | Microsoft.NET.Native.Runtime.2.0 | x | x | | Yes |
| | Microsoft.Services.Store.Engagement | x | x | | Yes |
| | Microsoft.VCLibs.120.00 | x | x | | Yes |
| | Microsoft.VCLibs.140.00 | x | x | x | Yes |
| | Microsoft.VCLibs.120.00.Universal | x | | | Yes |
| | Microsoft.VCLibs.140.00.UWPDesktop | | x | | Yes |
- File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- InputApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | | | ✔️ |
---
- Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.AccountsControl | Package name: Microsoft.AccountsControl
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Hello setup UI | Package name: Microsoft.BioEnrollment
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.CredDialogHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.ECApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.LockApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft Edge | Package name: Microsoft.MicrosoftEdge
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.MicrosoftEdgeDevToolsClient
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.PPIProjection
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | | | ✔️ |
---
- Microsoft.Win32WebViewHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.Apprep.ChxApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.AssignedAccessLockApp
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.CapturePicker
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.CloudExperienceHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.ContentDeliveryManager
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Cortana | Package name: Microsoft.Windows.Cortana
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | | | ✔️ |
---
- Microsoft.Windows.OOBENetworkCaptivePort
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.OOBENetworkConnectionFlow
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.ParentalControls
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- People Hub | Package name: Microsoft.Windows.PeopleExperienceHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.PinningConfirmationDialog
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.SecHealthUI
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.Windows.SecureAssessmentBrowser
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Start | Package name: Microsoft.Windows.ShellExperienceHost
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Microsoft.XboxGameCallableUI
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Windows.CBSPreview
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Settings | Package name: Windows.immersivecontrolpanel
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---
- Print 3D | Package name: Windows.Print3D
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ✔️ | | | ✔️ |
---
- Print UI | Package name: Windows.PrintDialog
---
| Uninstall through UI? | 21H1 | 20H2 | 1809 |
| --- | --- | --- | --- |
| ❌ | ✔️ | ✔️| ✔️ |
---

1
windows/application-management/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

2
windows/application-management/sideload-apps-in-windows-10.md
View File

@ -14,10 +14,10 @@ ms.date: 05/20/2019
---
# Sideload LOB apps in Windows 10
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!NOTE]
> As of Windows Insider Build 18956, sideloading is enabled by default. Now, you can deploy a signed package onto a device without a special configuration.

8
windows/application-management/toc.yml
View File

@ -3,16 +3,16 @@ items:
href: index.yml
- name: Application management
items:
- name: Apps in Windows 10
href: apps-in-windows-10.md
- name: Add apps and features in Windows 10
href: add-apps-and-features.md
- name: Sideload apps
href: sideload-apps-in-windows-10.md
- name: Remove background task resource restrictions
href: enterprise-background-activity-controls.md
- name: Enable or block Windows Mixed Reality apps in the enterprise
href: manage-windows-mixed-reality.md
- name: Understand apps in Windows 10
href: apps-in-windows-10.md
- name: Add apps and features in Windows 10
href: add-apps-and-features.md
- name: Repackage win32 apps in the MSIX format
href: msix-app-packaging-tool.md
- name: Application Virtualization (App-V)

1
windows/client-management/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

32
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -1,6 +1,6 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@ -18,7 +18,7 @@ ms.date: 06/26/2017
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
@ -37,27 +37,29 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
> - Bulk Token creation is not supported with federated accounts.
## What you need
- Windows 10 devices
- Windows Imaging and Configuration Designer (ICD) tool
To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Windows 10 devices.
- Windows Configuration Designer (WCD) tool.
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premises authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
![icd start page](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
@ -70,7 +72,8 @@ Using the ICD, create a provisioning package using the enrollment information re
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the ICD at this point.
Here is the screenshot of the WCD at this point.
![bulk enrollment screenshot](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
@ -90,12 +93,12 @@ Using the ICD, create a provisioning package using the enrollment information re
## Create and apply a provisioning package for certificate authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
@ -129,8 +132,7 @@ Using the ICD, create a provisioning package using the enrollment information re
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu

198
windows/client-management/mdm/defender-csp.md
View File

@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 07/23/2021
ms.date: 08/05/2021
---
# Defender CSP
@ -35,6 +35,18 @@ Defender
------------InitialDetectionTime
------------LastThreatStatusChangeTime
------------NumberOfDetections
----EnableNetworkProtection
--------AllowNetworkProtectionDownLevel
--------AllowNetworkProtectionOnWinServer
--------DisableNetworkProtectionPerfTelemetry
--------DisableDatagramProcessing
--------DisableInboundConnectionFiltering
--------EnableDnsSinkhole
--------DisableDnsOverTcpParsing
--------DisableHttpParsing
--------DisableRdpParsing
--------DisableSshParsing
--------DisableTlsParsing
----Health
--------ProductStatus (Added in Windows 10 version 1809)
--------ComputerState
@ -189,6 +201,27 @@ The following list shows the supported values:
Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is integer.
The following list shows the supported values:
- 0 = Active
- 1 = Action failed
- 2 = Manual steps required
- 3 = Full scan required
- 4 = Reboot required
- 5 = Remediated with noncritical failures
- 6 = Quarantined
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
- 10 = No Status (Cleared)
Supported operation is Get.
<a href="" id="detections-threatid-executionstatus"></a>**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
@ -217,6 +250,139 @@ The data type is integer.
Supported operation is Get.
<a href="" id="enablenetworkprotection"></a>**EnableNetworkProtection**
The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
The acceptable values for this parameter are:
- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log.
Accepted values: Disabled, Enabled, and AuditMode
Position: Named
Default value: Disabled
Accept pipeline input: False
Accept wildcard characters: False
<a href="" id="enablenetworkprotection-allownetworkprotectiondownlevel"></a>**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-allownetworkprotectiononwinserver"></a>**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablenetworkprotectionperftelemetry"></a>**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disabledatagramprocessing"></a>**EnableNetworkProtection/DisableDatagramProcessing**
Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disableinboundconnectionfiltering"></a>**EnableNetworkProtection/DisableInboundConnectionFiltering**
Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-enablednssinkhole"></a>**EnableNetworkProtection/EnableDnsSinkhole**
Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablednsovertcpparsing"></a>**EnableNetworkProtection/DisableDnsOverTcpParsing**
Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablednsparsing"></a>**EnableNetworkProtection/DisableDnsParsing**
Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="health"></a>**Health**
An interior node to group information about Windows Defender health status.
@ -248,7 +414,7 @@ Supported product status values:
- Service is shutting down as part of system shutdown = 1 << 16
- Threat remediation failed critically = 1 << 17
- Threat remediation failed non-critically = 1 << 18
- No status flags set (well initialized state) = 1 << 19
- No status flags set (well-initialized state) = 1 << 19
- Platform is out of date = 1 << 20
- Platform update is in progress = 1 << 21
- Platform is about to be outdated = 1 << 22
@ -453,6 +619,26 @@ Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="configuration-hideexclusionsfromlocaladmins"></a>**Configuration/HideExclusionsFromLocalAdmins**<br>
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
> [!NOTE]
> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
Supported OS versions: Windows 10
The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
- 1 Enable.
- 0 (default) Disable.
<a href="" id="configuration-disablecputhrottleonidlescans"></a>**Configuration/DisableCpuThrottleOnIdleScans**<br>
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
@ -532,7 +718,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@ -561,7 +747,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@ -617,8 +803,8 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
1 Enabled.
0 (default) Not Configured.
- 1 Enabled.
- 0 (default) Not Configured.
More details:

4
windows/client-management/mdm/index.md
View File

@ -28,8 +28,6 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros operational needs, addressing security concerns for modern cloud-managed devices.
> [!NOTE]
>Intune support for the MDM security baseline is coming soon.
The MDM security baseline includes policies that cover the following areas:
@ -48,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows).
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
<span id="mmat" />

3
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -66,6 +66,9 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)

2
windows/client-management/mdm/surfacehub-csp.md
View File

@ -295,7 +295,7 @@ SurfaceHub
<p style="margin-left: 20px">The data type is boolean. Supported operation is Get and Replace.
<a href="" id="inboxapps-welcome-currentbackgroundpath"></a>**InBoxApps/Welcome/CurrentBackgroundPath**
<p style="margin-left: 20px">Background image for the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
<p style="margin-left: 20px">Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.
<p style="margin-left: 20px">The data type is string. Supported operation is Get and Replace.

6
windows/client-management/toc.yml
View File

@ -55,6 +55,12 @@ items:
items:
- name: Collect data using Network Monitor
href: troubleshoot-tcpip-netmon.md
- name: "Part 1: TCP/IP performance overview"
href: /troubleshoot/windows-server/networking/overview-of-tcpip-performance
- name: "Part 2: TCP/IP performance underlying network issues"
href: /troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network
- name: "Part 3: TCP/IP performance known issues"
href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues
- name: Troubleshoot TCP/IP connectivity
href: troubleshoot-tcpip-connectivity.md
- name: Troubleshoot port exhaustion

3
windows/client-management/troubleshoot-tcpip.md
View File

@ -17,6 +17,9 @@ manager: dansimp
In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment.
- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
- [Part 1: TCP/IP performance overview](/troubleshoot/windows-server/networking/overview-of-tcpip-performance)
- [Part 2: TCP/IP performance underlying network issues](/troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network)
- [Part 3: TCP/IP performance known issues](/troubleshoot/windows-server/networking/tcpip-performance-known-issues)
- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)

20
windows/configuration/TOC.yml
View File

@ -1,24 +1,26 @@
- name: Configure Windows client
href: index.yml
- name: Configure appearance settings
- name: Customize the appearance
items:
- name: Windows 10 Start and taskbar
items:
- name: Manage Windows 10 Start and taskbar layout
- name: Start layout and taskbar
href: windows-10-start-layout-options-and-policies.md
- name: Configure Windows 10 taskbar
href: configure-windows-10-taskbar.md
- name: Use XML
items:
- name: Customize and export Start layout
href: customize-and-export-start-layout.md
- name: Add image for secondary tiles
- name: Customize the taskbar
href: configure-windows-10-taskbar.md
- name: Add image for secondary Microsoft Edge tiles
href: start-secondary-tiles.md
- name: Start layout XML for desktop editions of Windows 10 (reference)
- name: Start layout XML for Windows 10 desktop editions (reference)
href: start-layout-xml-desktop.md
- name: Customize Windows 10 Start and taskbar with Group Policy
- name: Use group policy
href: customize-windows-10-start-screens-by-using-group-policy.md
- name: Customize Windows 10 Start and taskbar with provisioning packages
- name: Use provisioning packages
href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
- name: Customize Windows 10 Start and taskbar with mobile device management (MDM)
- name: Use mobile device management (MDM)
href: customize-windows-10-start-screens-by-using-mobile-device-management.md
- name: Troubleshoot Start menu errors
href: start-layout-troubleshoot.md

47
windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
View File

@ -1,6 +1,6 @@
---
title: Alter Windows 10 Start and taskbar via mobile device management
description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users.
title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs
description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
ms.reviewer:
manager: dansimp
@ -12,7 +12,7 @@ author: greg-lindsay
ms.topic: article
ms.author: greglin
ms.localizationpriority: medium
ms.date: 02/08/2018
ms.date: 08/05/2021
---
# Customize Windows 10 Start and taskbar with mobile device management (MDM)
@ -25,7 +25,7 @@ ms.date: 02/08/2018
>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
@ -56,36 +56,39 @@ Two features enable Start layout control:
## <a href="" id="bkmk-domaingpodeployment"></a>Create a policy for your customized Start layout
The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
2. Select **Devices** > **Configuration profiles** > **Create profile**.
2. Select **Device configuration**.
3. Enter the following properties:
3. Select **Profiles**.
- **Platform**: Select **Windows 10 and later**.
- **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
4. Select **Create profile**.
4. In **Basics**, enter the following properties:
5. Enter a friendly name for the profile.
- **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**.
- **Description**: Enter a description for the profile. This setting is optional, but recommended.
6. Select **Windows 10 and later** for the platform.
5. Select **Next**.
7. Select **Device restrictions for the profile type.
6. In **Configuration settings**, select **Start**:
8. Select **Start**.
- If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file.
- If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
9. In **Start menu layout**, browse to and select your Start layout XML File.
7. Select **Next**.
8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
10. Select **OK** twice, and then select **Create**.
11. Assign the profile to a device group.
For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
> [!NOTE]
> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
## Related topics
## Next steps
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@ -95,5 +98,3 @@ For other MDM solutions, you may need to use an OMA-URI setting for Start layout
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)

1
windows/configuration/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

236
windows/configuration/windows-10-start-layout-options-and-policies.md
View File

@ -1,6 +1,6 @@
---
title: Manage Windows 10 Start and taskbar layout (Windows 10)
description: Organizations might want to deploy a customized Start and taskbar layout to devices.
title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs
description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
ms.reviewer:
manager: dansimp
@ -12,119 +12,215 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
ms.date: 06/19/2018
ms.date: 08/05/2021
---
# Manage Windows 10 Start and taskbar layout
# Customize the Start menu and taskbar layout on Windows 10 and later devices
**Applies to**:
**Applies to**
- Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2019 with Desktop Experience
- Windows 10 version 1607 and later
- Windows Server 2016 with Desktop Experience
- Windows Server 2019 with Desktop Experience
> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu)
>
> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded.
>[!NOTE]
>Taskbar configuration is available starting in Windows 10, version 1607.
>
>Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
>
>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
>
>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
## Use XML
On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file.
## Start options
For more information, see [Customize and export Start layout](customize-and-export-start-layout.md).
For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file.
For more information, see [Configure Windows 10 taskbar](configure-windows-10-taskbar.md).
## Use group policy
Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure.
For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md).
## Use provisioning packages
Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](./provisioning-packages/provisioning-packages.md).
Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
## Use a mobile device management (MDM) solution
Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices.
If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md).
## Start menu policy settings
![start layout sections](images/startannotated.png)
Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start).
- **User tile**
- **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Logoff on the Start menu`
- **Local setting**: None
- **MDM policy**:
- Start/HideUserTile
- Start/HideSwitchAccount
- Start/HideSignOut
- Start/HideLock
- Start/HideChangeAccountSettings
- **Most used**
- **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove frequent programs from the Start menu`
- **Local setting**: Settings > Personalization > Start > Show most used apps
- **MDM policy**: Start/HideFrequentlyUsedApps
- **Suggestions, Dynamically inserted app tile**
- **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences`
This policy also enables or disables notifications for:
- A user's Microsoft account
- App tiles that Microsoft dynamically adds to the default Start menu
- **Local setting**: Settings > Personalization > Start > Occasionally show suggestions in Start
- **MDM policy**: Allow Windows Consumer Features
- **Recently added**
- **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu`
This policy applies to:
- Windows 10 version 1803 and later
- **Local setting**: Settings > Personalization > Start > Show recently added apps
- **MDM policy**: Start/HideRecentlyAddedApps
- **Pinned folders**
- **Local setting**: Settings > Personalization > Start > Choose which folders appear on Start
- **MDM policy**: AllowPinnedFolder
- **Power**
- **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`
- **Local setting**: None
- **MDM policy**:
- Start/HidePowerButton
- Start/HideHibernate
- Start/HideRestart
- Start/HideShutDown
- Start/HideSleep
- **Start layout**
- **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen`
When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups.
**Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar.
- **Local setting**: None
- **MDM policy**:
- Start layout
- ImportEdgeAssets
- **Jump lists**
- **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
- **Local setting**: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
- **MDM policy**: Start/HideRecentJumplists
- **Start size**
- **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Force Start to be either full screen size or menu size`
- **Local setting**: Settings > Personalization > Start > Use Start full screen
- **MDM policy**: Force Start size
- **App list**
- **Local setting**: Settings > Personalization > Start > Show app list in Start menu
- **MDM policy**: Start/HideAppList
- **All settings**
- **Group policy**: `User Configuration\Administrative Templates\Prevent changes to Taskbar and Start Menu Settings`
- **Local setting**: None
- **Taskbar**
- **Local setting**: None
- **MDM policy**: Start/NoPinningToTaskbar
> [!NOTE]
>The MDM policy settings in the table can also be configured [in a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) using **Policies** > **Start**. [See the reference for **Start** settings in Windows Configuration Designer.](./wcd/wcd-policies.md#start)
The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
| Start | Policy | Local setting |
| --- | --- | --- |
| User tile | MDM: **Start/HideUserTile**</br>**Start/HideSwitchAccount**</br>**Start/HideSignOut**</br>**Start/HideLock**</br>**Start/HideChangeAccountSettings**</br></br>Group Policy: **Remove Logoff on the Start menu** | none |
| Most used | MDM: **Start/HideFrequentlyUsedApps**</br></br>Group Policy: **Remove frequent programs from the Start menu** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show most used apps** |
| Suggestions</br>-and-</br>Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**</br></br>Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**</br></br>**Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Occasionally show suggestions in Start** |
| Recently added | MDM: **Start/HideRecentlyAddedApps**<br>Group Policy: **Computer configuration**\\**Administrative Template**\\**Start Menu and Taskbar**\\**Remove "Recently Added" list from Start Menu** (for Windows 10, version 1803) | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show recently added apps** |
| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Choose which folders appear on Start** |
| Power | MDM: **Start/HidePowerButton**</br>**Start/HideHibernate**</br>**Start/HideRestart**</br>**Start/HideShutDown**</br>**Start/HideSleep**</br></br>Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none |
| Start layout | MDM: **Start layout**</br>**ImportEdgeAssets**</br></br>Group Policy: **Prevent users from customizing their Start screen**</br></br>**Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.</br></br>**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none |
| Jump lists | MDM: **Start/HideRecentJumplists**</br></br>Group Policy: **Do not keep history of recently opened documents** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show recently opened items in Jump Lists on Start or the taskbar** |
| Start size | MDM: **Force Start size**</br></br>Group Policy: **Force Start to be either full screen size or menu size** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Use Start full screen** |
| App list | MDM: **Start/HideAppList** | **Settings** &gt; **Personalization** &gt; **Start** &gt; **Show app list in Start menu** |
| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none |
| Taskbar | MDM: **Start/NoPinningToTaskbar** | none |
>[!NOTE]
>In local **Settings** > **Personalization** > **Start**, there is an option to **Show more tiles**. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting and then arrange your tiles.
[Learn how to customize and export Start layout](customize-and-export-start-layout.md)
> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles.
## Taskbar options
Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region.
There are three categories of apps that might be pinned to a taskbar:
* Apps pinned by the user
* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
* Apps pinned by the enterprise, such as in an unattended Windows setup
There are three app categories that could be pinned to a taskbar:
>[!NOTE]
>We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks) in an unattended Windows setup file.
- Apps pinned by the user
- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store
- Apps pinned by your organization, such as in an unattended Windows setup
The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed:
- Windows default apps to the left (blue circle)
- Apps pinned by the user in the center (orange triangle)
- Apps that you pin using XML to the right (green square)
![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
>[!NOTE]
>In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
If you apply the taskbar configuration to a clean install or an update, users can still:
- Pin more apps
- Change the order of pinned apps
- Unpin any app
Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
* Pin additional apps
* Change the order of pinned apps
* Unpin any app
>[!NOTE]
>In Windows 10, version 1703, you can apply an MDM policy, `Start/NoPinningToTaskbar`, to prevents users from pinning and unpinning apps on the taskbar.
> [!TIP]
> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar.
### Taskbar configuration applied to clean install of Windows 10
In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar:
- Apps you specifically add
- Any default apps you don't remove
After the layout is applied, users can pin more apps to the taskbar.
### Taskbar configuration applied to Windows 10 upgrades
When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup.
The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
* New apps specified in updated layout file are pinned to right of user's pinned apps.
On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior:
- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right.
- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned.
- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right.
- New apps specified in updated layout file are pinned to right of user's pinned apps.
[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md).
## Start layout configuration errors
If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events:
- **Event 22** is logged when the xml is malformed, meaning the specified file simply isnt valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk.
## Related topics
- **Event 22**: The XML is malformed. The specified file isnt valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format.
- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`.
## Next steps
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)

1
windows/configure/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {

1
windows/deploy/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy",

66
windows/deployment/TOC.yml
View File

@ -281,7 +281,7 @@
href: upgrade/windows-10-upgrade-paths.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- name: Understanding the Unified Update Platform
- name: Understand the Unified Update Platform
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
@ -331,6 +331,8 @@
- name: Active Directory-Based Activation Overview
href: volume-activation/active-directory-based-activation-overview.md
- name: Install and Configure VAMT
items:
- name: Overview
href: volume-activation/install-configure-vamt.md
- name: VAMT Requirements
href: volume-activation/vamt-requirements.md
@ -339,6 +341,8 @@
- name: Configure Client Computers
href: volume-activation/configure-client-computers-vamt.md
- name: Add and Manage Products
items:
- name: Overview
href: volume-activation/add-manage-products-vamt.md
- name: Add and Remove Computers
href: volume-activation/add-remove-computers-vamt.md
@ -347,6 +351,8 @@
- name: Remove Products
href: volume-activation/remove-products-vamt.md
- name: Manage Product Keys
items:
- name: Overview
href: volume-activation/manage-product-keys-vamt.md
- name: Add and Remove a Product Key
href: volume-activation/add-remove-product-key-vamt.md
@ -355,26 +361,32 @@
- name: Install a KMS Client Key
href: volume-activation/install-kms-client-key-vamt.md
- name: Manage Activations
items:
- name: Overview
href: volume-activation/manage-activations-vamt.md
- name: Perform Online Activation
- name: Run Online Activation
href: volume-activation/online-activation-vamt.md
- name: Perform Proxy Activation
- name: Run Proxy Activation
href: volume-activation/proxy-activation-vamt.md
- name: Perform KMS Activation
- name: Run KMS Activation
href: volume-activation/kms-activation-vamt.md
- name: Perform Local Reactivation
- name: Run Local Reactivation
href: volume-activation/local-reactivation-vamt.md
- name: Activate an Active Directory Forest Online
href: volume-activation/activate-forest-vamt.md
- name: Activate by Proxy an Active Directory Forest
href: volume-activation/activate-forest-by-proxy-vamt.md
- name: Manage VAMT Data
items:
- name: Overview
href: volume-activation/manage-vamt-data.md
- name: Import and Export VAMT Data
href: volume-activation/import-export-vamt-data.md
- name: Use VAMT in Windows PowerShell
href: volume-activation/use-vamt-in-windows-powershell.md
- name: VAMT Step-by-Step Scenarios
items:
- name: Overview
href: volume-activation/vamt-step-by-step.md
- name: "Scenario 1: Online Activation"
href: volume-activation/scenario-online-activation-vamt.md
@ -496,54 +508,62 @@
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide
items:
- name: Overview
href: planning/sua-users-guide.md
- name: Using the SUA Wizard
- name: Use the SUA Wizard
href: planning/using-the-sua-wizard.md
- name: Using the SUA Tool
- name: Use the SUA Tool
href: planning/using-the-sua-tool.md
- name: Tabs on the SUA Tool Interface
href: planning/tabs-on-the-sua-tool-interface.md
- name: Showing Messages Generated by the SUA Tool
- name: Show Messages Generated by the SUA Tool
href: planning/showing-messages-generated-by-the-sua-tool.md
- name: Applying Filters to Data in the SUA Tool
- name: Apply Filters to Data in the SUA Tool
href: planning/applying-filters-to-data-in-the-sua-tool.md
- name: Fixing Applications by Using the SUA Tool
- name: Fix apps using the SUA Tool
href: planning/fixing-applications-by-using-the-sua-tool.md
- name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
- name: Compatibility Administrator User's Guide
items:
- name: Overview
href: planning/compatibility-administrator-users-guide.md
- name: Using the Compatibility Administrator Tool
- name: Use the Compatibility Administrator Tool
href: planning/using-the-compatibility-administrator-tool.md
- name: Available Data Types and Operators in Compatibility Administrator
href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- name: Searching for Fixed Applications in Compatibility Administrator
- name: Search for Fixed Applications in Compatibility Administrator
href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
- name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- name: Creating a Custom Compatibility Fix in Compatibility Administrator
- name: Create a Custom Compatibility Fix in Compatibility Administrator
href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- name: Creating a Custom Compatibility Mode in Compatibility Administrator
- name: Create a Custom Compatibility Mode in Compatibility Administrator
href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- name: Creating an AppHelp Message in Compatibility Administrator
- name: Create an AppHelp Message in Compatibility Administrator
href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- name: Viewing the Events Screen in Compatibility Administrator
- name: View the Events Screen in Compatibility Administrator
href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
- name: Enable and Disable Compatibility Fixes in Compatibility Administrator
href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
- name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator
href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- name: Managing Application-Compatibility Fixes and Custom Fix Databases
- name: Manage Application-Compatibility Fixes and Custom Fix Databases
items:
- name: Overview
href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- name: Understanding and Using Compatibility Fixes
- name: Understand and Use Compatibility Fixes
href: planning/understanding-and-using-compatibility-fixes.md
- name: Compatibility Fix Database Management Strategies and Deployment
href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- name: Testing Your Application Mitigation Packages
- name: Test Your Application Mitigation Packages
href: planning/testing-your-application-mitigation-packages.md
- name: Using the Sdbinst.exe Command-Line Tool
- name: Use the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Volume Activation
items:
- name: Overview
href: volume-activation/volume-activation-windows-10.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md

2
windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
View File

@ -72,7 +72,7 @@ To monitor the task sequence as it happens, right-click the **MDT Build Lab** de
### Configure permissions for the deployment share
In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
On **MDT01**:

6
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC1902120058_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
@ -316,7 +316,7 @@ On **MDT01**:
### For the HP EliteBook 8560w
For the HP EliteBook 8560w, you use HP SoftPaq Download Manager to get the drivers. The HP SoftPaq Download Manager can be accessed on the [HP Support site](https://go.microsoft.com/fwlink/p/?LinkId=619545).
For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html).
In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder.

1
windows/deployment/docfx.json
View File

@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

76
windows/deployment/update/media-dynamic-update.md
View File

@ -1,5 +1,5 @@
---
title: Update Windows 10 media with Dynamic Update
title: Update Windows installation media with Dynamic Update
description: Learn how to deploy feature updates to your mission critical devices
ms.prod: w10
ms.mktglfcycl: manage
@ -14,17 +14,17 @@ ms.collection: M365-modern-desktop
ms.topic: article
---
# Update Windows 10 media with Dynamic Update
# Update Windows installation media with Dynamic Update
**Applies to**: Windows 10
**Applies to**: Windows 10, Windows 11
This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
## Dynamic Update
Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
- Updates to Setup.exe binaries or other files that Setup uses for feature updates
- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
@ -53,14 +53,14 @@ The various Dynamic Update packages might not all be present in the results from
If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
## Update Windows 10 installation media
## Update Windows installation media
Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include:
- Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems
- Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools.
- Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim
- Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
- Windows operating system: one or more editions of Windows stored in \sources\install.wim
- Windows installation media: the complete collection of files and folders in the Windows installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
@ -89,7 +89,7 @@ This table shows the correct sequence for applying the various tasks to the file
### Multiple Windows editions
The main operating system file (install.wim) contains multiple editions of Windows 10. Its possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
The main operating system file (install.wim) contains multiple editions of Windows. Its possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
@ -178,8 +178,6 @@ The script assumes that only a single edition is being updated, indicated by Ind
It finishes by cleaning and exporting the image to reduce the image size.
> [!NOTE]
> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
```powershell
# Mount the main operating system, used throughout the script
@ -194,8 +192,33 @@ Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
# This error should be caught and ignored, as the last step will be to apply the cumulative update
# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
try
{
Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
}
Catch
{
$theError = $_
Write-Output "$(Get-TS): $theError"
if ($theError.Exception -like "*0x8007007e*") {
Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
}
else {
throw
}
}
#
# Optional: Add the language to recovery environment
@ -278,8 +301,33 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
# This error should be caught and ignored, as the last step will be to apply the cumulative update
# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
Write-Output "$(Get-TS): Adding package $SSU_PATH"
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
try
{
Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
}
Catch
{
$theError = $_
Write-Output "$(Get-TS): $theError"
if ($theError.Exception -like "*0x8007007e*") {
Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
}
else {
throw
}
}
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"

1
windows/device-security/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",

1
windows/docfx.json
View File

@ -14,6 +14,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",

1
windows/eulas/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None",

1
windows/hub/docfx.json
View File

@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",

1
windows/keep-secure/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"_op_documentIdPathDepotMapping": {
"./": {

1
windows/known-issues/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",

1
windows/manage/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage",

1
windows/plan/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan",

2
windows/privacy/changes-to-windows-diagnostic-data-collection.md
View File

@ -52,7 +52,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
In an upcoming release of Windows 10, were simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
Additionally, you will see the following policy changes in an upcoming release of Windows 10:
Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11:
| Policy type | Current policy | Renamed policy |
| --- | --- | --- |

1
windows/privacy/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

1
windows/release-information/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",

1
windows/security/docfx.json
View File

@ -33,6 +33,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",

2
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -3716,7 +3716,7 @@ This security group was introduced in Windows Server 2012, and it has not chang
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1000</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>

19
windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
View File

@ -21,16 +21,33 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows Server 2016
- Windows Server 2019
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
- Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: <br>
- Scheduled tasks with domain user stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message: <br>
"Task Scheduler failed to log on \Test. <br>
Failure occurred in LogonUserExEx. <br>
User Action: Ensure the credentials for the task are correctly specified. <br>
Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. For example:
> Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
Event ID: 8004
Task Category: Auditing NTLM
Level: Information
Description:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
Secure Channel name: \<Secure Channel Name>
User name:
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
- This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- The username appears in an unusual format because local accounts arent protected by Credential Guard. The task also fails to execute.
- As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:

1
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -82,6 +82,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
|-------------|---------|
| 0X80072F0C | Unknown |
| 0x80070057 | Invalid parameter or argument is passed. |
| 0x80090010 | NTE_PERM |
| 0x80090020 | NTE\_FAIL |
| 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. |
| 0x8009002D | NTE\_INTERNAL\_ERROR |

5
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -679,6 +679,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE]
> If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
> If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.

18
windows/security/information-protection/tpm/trusted-platform-module-overview.md
View File

@ -14,12 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 11/29/2018
---
# Trusted Platform Module Technology Overview
**Applies to**
- Windows 11
- Windows 10
- Windows Server 2016
- Windows Server 2019
@ -28,7 +28,7 @@ This topic for the IT professional describes the Trusted Platform Module (TPM) a
## Feature description
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
[Trusted Platform Module (TPM)](/windows/security/information-protection/tpm/trusted-platform-module-top-node) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can:
- Generate, store, and limit the use of cryptographic keys.
@ -54,13 +54,13 @@ Certificates can be installed or created on computers that are using the TPM. Af
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and later editions or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## New and changed functionality
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module).
For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
## Device health attestation
@ -75,14 +75,14 @@ Some things that you can check on the device are:
- Is SecureBoot supported and enabled?
> [!NOTE]
> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
## Supported versions for device health attestation
| TPM version | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|-------------|-------------|---------------------|---------------------|
| TPM 1.2 | >= ver 1607 | >= ver 1607 | Yes |
| TPM 2.0 | Yes | Yes | Yes |
| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|-------------|-------------|-------------|---------------------|---------------------|
| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes |
| TPM 2.0 | Yes | Yes | Yes | Yes |
## Related topics

3
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -17,7 +17,8 @@ ms.technology: mde
# Enable virtualization-based protection of code integrity
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.

3
windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
View File

@ -18,7 +18,8 @@ ms.technology: mde
# Baseline protections and additional qualifications for virtualization-based protection of code integrity
**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.

2
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
- Windows 10
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.

2
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -17,7 +17,7 @@ metadata:
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.

2
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -18,7 +18,7 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
- - Windows 10
## Review system requirements

3
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -17,7 +17,8 @@ ms.technology: mde
# Microsoft Defender Application Guard overview
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.

5
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -1,5 +1,5 @@
---
title: System requirements for Microsoft Defender Application Guard (Windows 10)
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@ -17,7 +17,8 @@ ms.technology: mde
# System requirements for Microsoft Defender Application Guard
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.

2
windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
- Windows 10
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.

2
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -45,7 +45,7 @@ The Security Compliance Toolkit consists of:
- Microsoft 365 Apps for enterprise, Version 2104
- Microsoft Edge security baseline
- Version 88
- Version 92
- Windows Update security baseline
- Windows 10 20H2 and below (October 2020 Update)

4
windows/security/threat-protection/security-policy-settings/account-lockout-duration.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/19/2017
ms.date: 08/16/2021
ms.technology: mde
---
@ -35,7 +35,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set
- A user-defined number of minutes from 0 through 99,999
- Not defined
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If th **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually.
It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0.

98
windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 07/15/2021
ms.date: 08/10/2021
ms.technology: mde
---
@ -93,27 +93,86 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
```
An example of a valid Managed Installer rule collection using Microsoft Endpoint Config Manager (MEMCM) is shown below.
An example of a valid Managed Installer rule collection, using Microsoft Endpoint Config Manager (MEMCM), MEM (Intune), Powershell, and PowerShell ISE, is shown below. Remove any rules that you do not wish to designate as a Managed Installer.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="AuditOnly" >
<FilePublisherRule Id="86f235ad-3f7b-4121-bc95-ea8bde3a5db5" Name="Allow all" Description="Allow all" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly">
<FilePublisherRule Id="9420c496-046d-45ab-bd0e-455b2649e41e" Name="Allow all" Description="Allow all" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="*" ProductName="*" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<RuleCollectionExtensions>
<ThresholdExtensions>
<Services EnforcementMode="Enabled" />
</ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions>
</RuleCollection>
<RuleCollection Type="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">
<FilePublisherRule Id="6cc9a840-b0fd-4f86-aca7-8424a22b4b93" Name="MEMCM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<FilePublisherRule Id="55932f09-04b8-44ec-8e2d-3fc736500c56" Name="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE version 1.39.200.2 or greater in MICROSOFT® INTUNE™ from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT® INTUNE™" BinaryName="MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE">
<BinaryVersionRange LowSection="1.39.200.2" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="6ead5a35-5bac-4fe4-a0a4-be8885012f87" Name="CMM - CCMEXEC.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMEXEC.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="780ae2d3-5047-4240-8a57-767c251cbb12" Name="MEMCM - CCMSETUP.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<FilePublisherRule Id="8e23170d-e0b7-4711-b6d0-d208c960f30e" Name="CCM - CCMSETUP.EXE, 5.0.0.0+, Microsoft signed" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="CCMSETUP.EXE">
<BinaryVersionRange LowSection="5.0.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a8cb325e-b26e-4f52-b528-a137764cae42" Name="POWERSHELL.EXE, version 10.0.0.0 and above, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="POWERSHELL.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
<FilePublisherRule Id="a8cb325e-b26e-4f52-b528-a137764cae54" Name="POWERSHELL_ISE.EXE, version 10.0.0.0 and above, in MICROSOFT® WINDOWS® OPERATING SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="*" BinaryName="POWERSHELL_ISE.EXE">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
### Enable service enforcement in AppLocker policy
Since many installation processes rely on services, it is typically necessary to enable tracking of services.
@ -214,3 +273,32 @@ Ea Value Length: 7e
## Enabling managed installer logging events
Refer to [Understanding Application Control Events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) for information on enabling optional managed installer diagnostic events.
## Deploying the Managed Installer rule collection
Once you've completed configuring your chosen Managed Installer, by specifying which option to use in the AppLocker policy, enabling the service enforcement of it, and by enabling the Managed Installer option in a WDAC policy, you'll need to deploy it.
1. Use the following command to deploy the policy.
```powershell
$policyFile=
@"
Raw_AppLocker_Policy_XML
"@
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
```
2. Verify Deployment of the ruleset was successful
```powershell
Get-AppLockerPolicy -Local
Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
1 {0, 0, 0, 0...} {Appx, Dll, Exe, ManagedInstaller...}
```
Verify the output shows the ManagedInstaller rule set.
3. Get the policy XML (optional) using PowerShell:
```powershell
Get-AppLockerPolicy -Effective -Xml -ErrorVariable ev -ErrorAction SilentlyContinue
```
This command will show the raw XML to verify the individual rules that were set.

26
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -86,6 +86,32 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
## System Integrity Policy Options
The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
| Bit Address | Policy Rule Option |
|-------|------|
| 2 | `Enabled:UMCI` |
| 3 | `Enabled:Boot Menu Protection` |
| 4 | `Enabled:Intelligent Security Graph Authorization` |
| 5 | `Enabled:Invalidate EAs on Reboot` |
| 7 | `Required:WHQL` |
| 10 | `Enabled:Allow Supplemental Policies` |
| 11 | `Disabled:Runtime FilePath Rule Protection` |
| 13 | `Enabled:Revoked Expired As Unsigned` |
| 16 | `Enabled:Audit Mode (Default)` |
| 17 | `Disabled:Flight Signing` |
| 18 | `Enabled:Inherit Default Policy` |
| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
| 20 | `Enabled:Dynamic Code Security` |
| 21 | `Required:EV Signers` |
| 22 | `Enabled:Boot Audit on Failure` |
| 23 | `Enabled:Advanced Boot Options Menu` |
| 24 | `Disabled:Script Enforcement` |
| 25 | `Required:Enforce Store Applications` |
| 27 | `Enabled:Managed Installer` |
| 28 | `Enabled:Update Policy No Reboot` |
## Appendix
A list of other relevant event IDs and their corresponding description.

10
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

@ -24,15 +24,15 @@ ms.date:
- Windows 10
- Windows Server 2016 and above
Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they are patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy which is applied to the following sets of devices:
Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
- Hypervisor-protected code integrity (HVCI) enabled devices
- Windows 10 in S mode (S mode) devices
Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this is not possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It is recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
Microsoft recommends enabling [HVCI](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) or S mode to protect your devices against security threats. If this isn't possible, Microsoft recommends blocking the following list of drivers by merging this policy with your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can result in devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](audit-windows-defender-application-control-policies.md) and review the audit block events.
> [!Note]
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It is recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
> This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. It's recommended that this policy be first validated in audit mode before rolling the rules into enforcement mode.
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -55,8 +55,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
<EKUs />
<!--File Rules-->
<FileRules>
<Allow ID="ID_ALLOW_ALL_1" FriendlyName="" FileName="*" />
<Allow ID="ID_ALLOW_ALL_2" FriendlyName="" FileName="*" />
<Deny ID="ID_DENY_BANDAI_SHA1" FriendlyName="bandai.sys Hash Sha1" Hash="0F780B7ADA5DD8464D9F2CC537D973F5AC804E9C" />
<Deny ID="ID_DENY_BANDAI_SHA256" FriendlyName="bandai.sys Hash Sha256" Hash="7FD788358585E0B863328475898BB4400ED8D478466D1B7F5CC0252671456CC8" />
<Deny ID="ID_DENY_BANDAI_SHA1_PAGE" FriendlyName="bandai.sys Hash Page Sha1" Hash="EA360A9F23BB7CF67F08B88E6A185A699F0C5410" />
@ -315,7 +313,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
<DeniedSigner SignerId="ID_SIGNER_VERISIGN_INSYDE" />
</DeniedSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_ALL_1"/>
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA1" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA256" />
<FileRuleRef RuleID="ID_DENY_BANDAI_SHA1_PAGE" />
@ -425,7 +422,6 @@ Microsoft recommends enabling [HVCI](https://docs.microsoft.com/windows/security
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_ALL_2" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>

1
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No |
## Windows Defender Application Control file rule levels

4
windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
View File

@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.date: 05/03/2018
ms.date: 08/12/2021
ms.technology: mde
---
@ -38,7 +38,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll**
```powershell
$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
```

22
windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/25/2017
ms.date: 08/16/2021
ms.technology: mde
---
@ -40,17 +40,15 @@ First, create the WMI filter and configure it to look for a specified version (o
1. Open the Group Policy Management console.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then click **WMI Filters**.
2. In the navigation pane, expand **Forest:** *YourForestName*, expand **Domains**, expand *YourDomainName*, and then select **WMI Filters**.
3. Click **Action**, and then click **New**.
3. Select **Action**, and then select **New**.
4. In the **Name** text box, type the name of the WMI filter.
>**Note:**  Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
4. In the **Name** text box, type the name of the WMI filter. Be sure to use a name that clearly indicates the purpose of the filter. Check to see if your organization has a naming convention.
5. In the **Description** text box, type a description for the WMI filter. For example, if the filter excludes domain controllers, you might consider stating that in the description.
6. Click **Add**.
6. Select **Add**.
7. Leave the **Namespace** value set to **root\\CIMv2**.
@ -66,7 +64,7 @@ First, create the WMI filter and configure it to look for a specified version (o
... where Version like "6.1%" or Version like "6.2%"
```
To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
To restrict the query to only clients or only servers, add a clause that includes the ProductType parameter. To filter for client operating systems only, such as Windows 8 or Windows 7, use only ProductType="1". For server operating systems that are not domain controllers and for Windows 10 multi-session, use ProductType="3". For domain controllers only, use ProductType="2". This is a useful distinction, because you often want to prevent your GPOs from being applied to the domain controllers on your network.
The following clause returns **true** for all devices that are not domain controllers:
@ -92,9 +90,9 @@ First, create the WMI filter and configure it to look for a specified version (o
select * from Win32_OperatingSystem where Version like "10.%" and ProductType="3"
```
9. Click **OK** to save the query to the filter.
9. Select **OK** to save the query to the filter.
10. Click **Save** to save your completed filter.
10. Select **Save** to save your completed filter.
> [!NOTE]
> If you're using multiple queries in the same WMI filter, these queries must all return **TRUE** for the filter requirements to be met and for the GPO to be applied.
@ -105,8 +103,8 @@ After you have created a filter with the correct query, link the filter to the G
1. Open the Group Policy Management console.
2. In the navigation pane, find and then click the GPO that you want to modify.
2. In the navigation pane, find and then select the GPO that you want to modify.
3. Under **WMI Filtering**, select the correct WMI filter from the list.
4. Click **Yes** to accept the filter.
4. Select **Yes** to accept the filter.

1
windows/threat-protection/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",

1
windows/update/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-update",

1
windows/whats-new/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",

2
windows/whats-new/windows-11.md
View File

@ -47,6 +47,8 @@ For more information about device eligibility, see [Windows 11 requirements](win
If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds).
## Before you begin
The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11.