diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md index ca1542a952..83c7c6b9b8 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md +++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md @@ -7,6 +7,7 @@ ms.reviewer: audience: itpro manager: dansimp ms.author: dansimp +ms.prod: ie11 --- # Full-sized flowchart detailing how document modes are chosen in IE11 diff --git a/browsers/internet-explorer/internet-explorer.yml b/browsers/internet-explorer/internet-explorer.yml index 05e93f6e25..17eee2393b 100644 --- a/browsers/internet-explorer/internet-explorer.yml +++ b/browsers/internet-explorer/internet-explorer.yml @@ -9,6 +9,7 @@ metadata: author: aczechowski ms.author: aaroncz ms.date: 07/29/2022 + ms.prod: ie11 # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml index e46501517f..b3ef37c53c 100644 --- a/education/windows/TOC.yml +++ b/education/windows/TOC.yml @@ -36,8 +36,6 @@ items: href: edu-themes.md - name: Configure Stickers href: edu-stickers.md - - name: Configure federated authentication - href: edu-federated-authentication.md - name: Configure Take a Test on a single PC href: take-a-test-single-pc.md - name: Configure a Test on multiple PCs diff --git a/education/windows/edu-federated-authentication.md b/education/windows/edu-federated-authentication.md deleted file mode 100644 index 8c3fc14f5d..0000000000 --- a/education/windows/edu-federated-authentication.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Federated authentication for Windows 11 SE -description: Description of federated authentication feature for Windows 11 SE and how to configure it via Intune -ms.date: 09/15/2022 -ms.prod: windows -ms.technology: windows -ms.topic: how-to -ms.localizationpriority: medium -author: paolomatarazzo -ms.author: paoloma -ms.reviewer: -manager: aaroncz -ms.collection: education -appliesto: -- ✅ Windows 11 SE 22H2 ---- - - -# Configure federated authentication for Windows 11 SE - -Starting in **Windows 11 SE, version 22H2**, you can configure federated authentication, enabling your users to sign in using a third-party identity provider (IdP). -The sign-in experience on Windows SE devices can be simplified based on the options offered by the IdP. For example, rather than logging in with a traditional username and password, students and educators can use picture passwords or QR code badges. - -## Benefits of federated authentication - -With federated authentication, students can sign-in in less time, and with less friction. -Fewer credentials to remember and a simplified sign-in process, enable students to be more engaged and focused on learning. - -## Prerequisites - -To implement federated authentication, the following prerequisites must be met: - -1. An Azure AD tenant, with one or multiple domains federated to a third-party IdP. For more information, see [Use a SAML 2.0 Identity Provider (IdP) for Single Sign On][AZ-1] -1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform -1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automation, with a provisioning process offered by the IdP -1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2] -1. Enable federated authentication on the Windows devices that the users will be using - > [!IMPORTANT] - > This feature is exclusively available for Windows 11 SE, version 22H2. - -## Enable federated authentication on Windows devices - -Can be done in Intune or with a provisioning package. - -To configure federated authentication using Microsoft Intune, use a [custom profile][MEM-1]: - -1. Sign in to the Microsoft Endpoint Manager admin center -1. Select **Devices** > **Configuration profiles** > **Create profile** -1. Enter the following properties: - - **Platform**: select **Windows 10 and later** - - **Profile type**: select **Templates** - - **Template name**: select **Custom** -1. Select **Create** -1. In **Basics**, enter the following properties: - - **Name**: enter a descriptive name for the profile - - **Description**: enter a description for the profile. This setting is optional, but recommended -1. Select **Next** -1. In **Configuration settings**, select **Add** and enter the following properties, repeating the process for each row and selecting **Save**: - - | | Name | OMA-URI | Data type | Value | - |--|--|--|--|--| - | | `EnableWebSignInForPrimaryUser` | `./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser` | Integer | 1 | - | | `ConfigureWebSignInAllowedUrls` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls` | String | Semicolon separated list of domains, for example: `samlidp.clever.com;clever.com;mobile-redirector.clever.com` | - | | `IsEducationEnvironment` | `./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment` | Integer | 1 | - | | `ConfigureWebCamAccessDomainNames` | `./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames` | String | This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: `clever.com` | - - :::image type="content" source="images/edu-federated-authentication-settings.png" alt-text="Custom policy showing the settings to be configured to enable federated authentication" lightbox="images/edu-federated-authentication-settings.png" border="true"::: -1. Select **Review + Save** -1. Select **Next** -1. In **Scope tags**, assign any applicable tags (optional) -1. Select **Next** -1. In **Assignments**, select the security groups that will receive the policy -1. Select **Next** -1. In **Applicability Rules**, select **Next** -1. In **Review + create**, review your settings and select **Create** - -## How to use federated authentication - -Once the devices are configured, a new sign-in experience becomes available. - -:::image type="content" source="./images/federated-auth.gif" alt-text="Windows 11 SE sign-in using federated authentication through Clever and QR code badge." border="true"::: - -## Known issues -- Network and Accessibility menus aren't available in the web sign-in flow.  They can be accessed on the standard Windows sign-in page. While in the web sign-in flow, press Ctrl+Alt+Delete and the classic Windows sign-in UI will be shown, along with the buttons that launch those menus.  -- This feature won't work without access to network, as the authentication is done via a third-party provider over the network. Always make sure that there's a valid network connection, before trying to launch the web sign-in flow. - -## Troubleshooting -- The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen. -- The *Other User* button can be pressed, and standard username/password credentials can be used to log into the device. - -[MEM-1]: /mem/intune/configuration/custom-settings-configure - -[AZ-1]: /azure/active-directory/hybrid/how-to-connect-fed-saml-idp -[AZ-2]: /azure/active-directory/enterprise-users/licensing-groups-assign \ No newline at end of file diff --git a/education/windows/edu-themes.md b/education/windows/edu-themes.md index e07ac617b3..78ba99e4fb 100644 --- a/education/windows/edu-themes.md +++ b/education/windows/edu-themes.md @@ -13,6 +13,7 @@ manager: aaroncz ms.collection: education appliesto: - ✅ Windows 11 22H2 +- ✅ Windows 11 SE 22H2 --- # Configure education themes for Windows 11 diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md index 4fbe0e9f89..0a06370a11 100644 --- a/education/windows/education-scenarios-store-for-business.md +++ b/education/windows/education-scenarios-store-for-business.md @@ -16,6 +16,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Working with Microsoft Store for Education @@ -133,18 +135,10 @@ Teachers can: ## Distribute apps -Manage and distribute apps to students and others in your organization. Different options are available for admins and teachers. - -Applies to: IT admins - **To manage and distribute apps** - For info on how to distribute **Minecraft: Education Edition**, see [For IT admins – Minecraft: Education Edition](./school-get-minecraft.md#distribute-minecraft) - For info on how to manage and distribute other apps, see [App inventory management - Microsoft Store for Business](/microsoft-store/app-inventory-management-windows-store-for-business) -Applies to: Teachers - -For info on how to distribute **Minecraft: Education Edition**, see [For teachers – Minecraft: Education Edition](./teacher-get-minecraft.md#distribute-minecraft). - **To assign an app to a student** 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). @@ -177,4 +171,4 @@ You can manage your orders through Microsoft Store for Business. For info on ord It can take up to 24 hours after a purchase, before a receipt is available on your **Order history page**. > [!NOTE] -> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. \ No newline at end of file +> For **Minecraft: Education Edition**, you can request a refund through Microsoft Store for Business for two months from the purchase date. After two months, refunds require a support call. diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md index f03899ae3d..a29c2d277f 100644 --- a/education/windows/get-minecraft-for-education.md +++ b/education/windows/get-minecraft-for-education.md @@ -16,6 +16,8 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # Get Minecraft: Education Edition @@ -24,23 +26,18 @@ appliesto: -Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. - - +Teachers and IT administrators can now get access to **Minecraft: Education Edition** and add it their Microsoft Admin Center for distribution. ## Prerequisites -- **Minecraft: Education Edition** requires Windows 10. +- For a complete list of Operating Systems supported by **Minecraft: Education Edition**, see [here](https://educommunity.minecraft.net/hc/articles/360047556591-System-Requirements). - Trials or subscriptions of **Minecraft: Education Edition** are offered to education tenants that are managed by Azure Active Directory (Azure AD). - If your school doesn't have an Azure AD tenant, the [IT administrator can set one up](school-get-minecraft.md) as part of the process of getting **Minecraft: Education Edition**. - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://www.microsoft.com/education/products/office) - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription) - -[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md) - -[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. \ No newline at end of file +[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft. diff --git a/education/windows/images/edu-federated-authentication-settings.png b/education/windows/images/edu-federated-authentication-settings.png deleted file mode 100644 index 5e1b429f46..0000000000 Binary files a/education/windows/images/edu-federated-authentication-settings.png and /dev/null differ diff --git a/education/windows/index.yml b/education/windows/index.yml index 354ac7c48e..5205e02a4a 100644 --- a/education/windows/index.yml +++ b/education/windows/index.yml @@ -53,8 +53,6 @@ landingContent: url: edu-themes.md - text: Configure Stickers url: edu-stickers.md - - text: Configure federated authentication - url: edu-federated-authentication.md - linkListType: video links: - text: Deploy Windows 11 SE using Set up School PCs diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md index e0e44e51c8..64dc362a33 100644 --- a/education/windows/take-tests-in-windows-10.md +++ b/education/windows/take-tests-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Take tests in Windows 10 +title: Take tests in Windows description: Learn how to set up and use the Take a Test app. keywords: take a test, test taking, school, how to, use Take a Test ms.prod: windows @@ -15,11 +15,13 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- -# Take tests in Windows 10 +# Take tests in Windows -Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows 10 creates the right environment for taking a test: +Many schools use online testing for formative and summative assessments. It's critical that students use a secure browser that prevents them from using other computer or Internet resources during the test. The **Take a Test** app in Windows creates the right environment for taking a test: - Take a Test shows just the test and nothing else. - Take a Test clears the clipboard. @@ -46,7 +48,7 @@ There are several ways to configure devices for assessments, depending on your u - **For a single PC** - You can use the Windows 10 **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). + You can use the Windows **Settings** application. For more info, see [Set up Take a Test on a single PC](take-a-test-single-pc.md). - **For multiple PCs** @@ -55,7 +57,7 @@ There are several ways to configure devices for assessments, depending on your u - A provisioning package created in Windows Configuration Designer - Group Policy to deploy a scheduled task that runs a Powershell script - Beginning with Windows 10 Creators Update (version 1703), you can also configure Take a Test using these options: + You can also configure Take a Test using these options: - Set up School PCs app - Intune for Education diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index 9436f4e605..47f90a01c2 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -16,160 +16,34 @@ ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 10 +- ✅ Windows 11 +- ✅ Windows 11 SE --- # For teachers - get Minecraft: Education Edition -The following article describes how teachers can get and distribute Minecraft: Education Edition. -Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the Microsoft Store for Education, via volume licensing agreements and through partner resellers. +The following article describes how teachers can get and distribute Minecraft: Education Edition at their school. Minecraft: Education Edition is available for anyone to trial, and subscriptions can be purchased by qualified educational institutions directly in the [Microsoft Admin Center by IT Admins](/education/windows/school-get-minecraft), via volume licensing agreements and through partner resellers. -To get started, go to https://education.minecraft.net/ and select **GET STARTED**. ## Try Minecraft: Education Edition for Free Minecraft: Education Edition is available for anyone to try for free! The free trial is fully functional but limited by the number of logins (25 for teachers and 10 for students) before a paid license will be required to continue playing. -To learn more and get started, go to https://education.minecraft.net/ and select **GET STARTED**. +To learn more and get started, [download the Minecraft: Education Edition app here.](https://aka.ms/download) ## Purchase Minecraft: Education Edition for Teachers and Students -Minecraft: Education Edition is licensed via yearly subscriptions that are purchased through the Microsoft Store for Education, via volume licensing agreements and through partner resellers. +As a teacher, you will need to have your IT Admin purchase licenses for you and your students directly through the Microsoft Admin Center, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 subscription. ->[!Note] ->M:EE is available on many platforms, but all license purchases can only be done through one of the three methods listed above. +M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. -As a teacher, you may purchase subscription licenses for you and your students directly through the Microsoft Store for Education, or you may already have access to licenses at your school (through a volume license agreement) if you have an Office 365 account. - ->[!Note] ->If you already have Office 365, you may already have Minecraft: Education Edition licenses for your school! M:EE is included in many volume license agreements, however, only the administrators at your school will be able to assign and manage those licenses. If you have an Office 365 account, check with your school administration or IT administrator prior to purchasing M:EE directly. - -You can purchase individual Minecraft: Education Edition subscriptions for you and other teachers and students directly in the Microsoft Store for Education. - -To purchase individual Minecraft: Education Edition subscriptions (that is, direct purchase): - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com/) with your Office 365 account. -2. Click on [Minecraft: Education Edition](https://educationstore.microsoft.com/en-us/store/details/minecraft-education-edition/9nblggh4r2r6) (or use Search the Store to find it) -3. Click **Buy** - ->[!Note] ->Administrators can restrict the ability for teachers to purchase applications in the Microsoft Store for Education. If you do not have the ability to Buy, contact your school administration or IT administrator. - - -## Distribute Minecraft - -After Minecraft: Education Edition licenses have been purchased, either directly, through a volume license agreement or through a partner reseller, those licenses will be added to your Microsoft Store for Education. From there you have three options: - -- You can install the app on your PC. -- You can assign the app to others. -- You can download the app to distribute. - - - -### Install for me -You can install the app on your PC. This gives you a chance to work with the app before using it with your students. - -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Install**. - - - -3. Click **Install**. - -### Assign to others -Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. - -**To assign to others** -1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**. - - - -3. Click **Invite people**. - -4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. - - ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png) - - You can assign the app to students with work or school accounts.
- If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. - - -**To finish Minecraft install (for students)** - -Students will receive an email with a link that will install the app on their PC. - -![Email with Get the app link.](images/minecraft-student-install-email.png) - -1. Click **Get the app** to start the app install in Microsoft Store app. -2. In Microsoft Store app, click **Install**. - - ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png) - - After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. - - ![Microsoft Store app directing the navigation to My Library.](images/minecraft-private-store.png) - - When students click **My Library** they'll find apps assigned to them. - - ![My Library for example student.](images/minecraft-my-library.png) - -### Download for others -Download for others allows teachers or IT admins to download packages that they can install on student PCs. This option will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when: -- You have administrative permissions to install apps on the PC. -- You want to install this app on each of your student's Windows 10 (at least version 1511) PCs. -- Your students share Windows 10 computers, but sign in with their own Windows account. - -#### Requirements -- Administrative permissions are required on the PC. If you don't have the correct permissions, you won't be able to install the app. -- Windows 10 (at least version 1511) is required for PCs running Minecraft: Education Edition. - -#### Check for updates -Minecraft: Education Edition won't install if there are updates pending for other apps on the PC. Before installing Minecraft, check to see if there are pending updates for Microsoft Store apps. - -**To check for app updates** -1. Start Microsoft Store app on the PC (click **Start**, and type **Store**). -2. Click the account button, and then click **Downloads and updates**. - - ![Microsoft Store app displaying the navigation to the My Library option.](images/minecraft-private-store.png) - -3. Click **Check for updates**, and install all available updates. - - ![Microsoft Store app directing the navigation to the My Library submenu item.](images/mc-check-for-updates.png) - -4. Restart the computer before installing Minecraft: Education Edition. - -#### To download for others -You'll download a .zip file, extract the files, and then use one of the files to install Minecraft: Education Edition on each PC. - -1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**. - - ![Microsoft Store app depicting the navigation path to the My Library option.](images/mc-dnld-others-teacher.png) - -2. **Extract files**. Find the .zip file that you downloaded and extract the files. This downloaded location is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. -3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. -4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. -5. **Quick check**. The install program checks the PC to make sure it can run Minecraft: Education Edition. If your PC passes this test, the app will automatically install. -6. **Restart**. Once installation is complete, restart each PC. Minecraft: Education Edition app is now ready for any student to use. #### Troubleshoot -If you ran **InstallMinecraftEducationEdition.bat** and Minecraft: Education Edition isn't available, there are a few things that might have happened. - -| Problem | Possible cause | Solution | -|---------|----------------|----------| -| Script ran, but it doesn't look like the app installed. | There might be pending app updates. | Check for app updates (see steps earlier in this topic).
Install updates.
Restart PC.
Run **InstallMinecraftEducationEdition.bat** again. | -| App won't install. | AppLocker is configured and preventing app installs. | Contact IT Admin. | -| App won't install. | Policy prevents users from installing apps on the PC. | Contact IT Admin. | -| Script starts, but stops quickly. | Policy prevents scripts from running on the PC. | Contact IT Admin. | -| App isn't available for other users. | No restart after install. If you don't restart the PC, and just switch users the app won't be available.| Restart PC.
Run **InstallMinecraftEducationEdition.bat** again.
If a restart doesn't work, contact your IT Admin. | - - -If you're still having trouble installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799757). +If you're having trouble installing the app, you can get more help on our [Support page](https://aka.ms/minecraftedusupport). ## Related topics -[Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
-Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. [Get Minecraft: Education Edition](get-minecraft-for-education.md) [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index e06e70792f..aa15270570 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -1559,6 +1559,16 @@ ms.date: 10/08/2020 - [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) - [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DesktopAppInstaller/EnableAdditionalSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableadditionalsources) +- [DesktopAppInstaller/EnableAppInstaller](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableappinstaller) +- [DesktopAppInstaller/EnableLocalManifestFiles](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablelocalmanifestfiles) +- [DesktopAppInstaller/EnableHashOverride](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablehashoverride) +- [DesktopAppInstaller/EnableMicrosoftStoreSource](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemicrosoftstoresource) +- [DesktopAppInstaller/EnableMSAppInstallerProtocol](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablemsappinstallerprotocol) +- [DesktopAppInstaller/EnableSettings](./policy-csp-desktopappinstaller.md#desktopappinstaller-enablesettings) +- [DesktopAppInstaller/EnableAllowedSources](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableallowedsources) +- [DesktopAppInstaller/EnableExperimentalFeatures](./policy-csp-desktopappinstaller.md#desktopappinstaller-enableexperimentalfeatures) +- [DesktopAppInstaller/SourceAutoUpdateInterval](./policy-csp-desktopappinstaller.md#desktopappinstaller-sourceautoupdateinterval) - [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdeviceids) - [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallationallowinstallationofmatchingdevicesetupclasses) - [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallationpreventdevicemetadatafromnetwork) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 3532c7a43b..79aba31f6b 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -5173,6 +5173,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC + ### ADMX_WindowsRemoteManagement policies
@@ -6303,6 +6304,43 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### DesktopAppInstaller policies +
+
+ DesktopAppInstaller/EnableAdditionalSources +
+
+ DesktopAppInstaller/EnableAppInstaller +
+
+ DesktopAppInstaller/EnableDefaultSource +
+
+ DesktopAppInstaller/EnableLocalManifestFiles +
+
+ DesktopAppInstaller/EnableHashOverride +
+
+ DesktopAppInstaller/EnableMicrosoftStoreSource +
+
+ DesktopAppInstaller/EnableMSAppInstallerProtocol +
+
+ DesktopAppInstaller/EnableSettings +
+
+ DesktopAppInstaller/EnableAllowedSources +
+
+ DesktopAppInstaller/EnableExperimentalFeatures +
+
+ DesktopAppInstaller/SourceAutoUpdateInterval +
+
+ ### DeviceGuard policies
@@ -6550,6 +6588,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
Experience/AllowSyncMySettings
+
+ Experience/AllowSpotlightCollection +
Experience/AllowTailoredExperiencesWithDiagnosticData
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md new file mode 100644 index 0000000000..f6ec4db880 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md @@ -0,0 +1,595 @@ +--- +title: Policy CSP - DesktopAppInstaller +description: Learn about the Policy CSP - DesktopAppInstaller. +ms.author: v-aljupudi +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: alekyaj +ms.date: 08/24/2022 +ms.reviewer: +manager: aaroncz +--- + +# Policy CSP - DesktopAppInstaller + +>[!TIP] +> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +
+ + +## DesktopAppInstaller policies + +
+
+ DesktopAppInstaller/EnableAdditionalSources +
+
+ DesktopAppInstaller/EnableAppInstaller +
+
+ DesktopAppInstaller/EnableDefaultSource +
+
+ DesktopAppInstaller/EnableLocalManifestFiles +
+
+ DesktopAppInstaller/EnableHashOverride +
+
+ DesktopAppInstaller/EnableMicrosoftStoreSource +
+
+ DesktopAppInstaller/EnableMSAppInstallerProtocol +
+
+ DesktopAppInstaller/EnableSettings +
+
+ DesktopAppInstaller/EnableAllowedSources +
+
+ DesktopAppInstaller/EnableExperimentalFeatures +
+
+ DesktopAppInstaller/SourceAutoUpdateInterval +
+
+ + +
+ + +**DesktopAppInstaller/EnableAdditionalSources** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy controls additional sources configured for [Windows Package Manager](/windows/package-manager/). + +If you don't configure this setting, no additional sources will be configured for Windows Package Manager. + +If you enable this setting, additional sources will be added to Windows Package Manager, and can't be removed. The representation for each additional source can be obtained from installed sources using [*winget source export*](/windows/package-manager/winget/). + +If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Additional Windows Package Manager Sources* +- GP name: *EnableAdditionalSources* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + + +**DesktopAppInstaller/EnableAppInstaller** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy controls whether Windows Package Manager can be used by users. Users will still be able to execute the *winget* command. The default help will be displayed, and users will still be able to execute *winget -?* to display the help as well. Any other command will result in the user being informed the operation is disabled by Group Policy. + +- If you enable or don't configure this setting, users will be able to use the Windows Package Manager. +- If you disable this setting, users won't be able to use the Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Controls whether the Windows Package Manager can be used by the users* +- GP name: *EnableAppInstaller* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableDefaultSource** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls the default source included with the Windows Package Manager. +If you do not configure this setting, the default source for the Windows Package Manager will be and can be removed. +- If you enable this setting, the default source for the Windows Package Manager will be, and can't be removed. +- If you disable this setting the default source for the Windows Package Manager won't be available. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Default Source* +- GP name: *EnableDefaultSource* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableLocalManifestFiles** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can install packages with local manifest files. + +- If you enable or don't configure this setting, users will be able to install packages with local manifests using the Windows Package Manager. +- If you disable this setting, users won't be able to install packages with local manifests using the Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Local Manifest Files* +- GP name: *EnableLocalManifestFiles* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + + + +**DesktopAppInstaller/EnableHashOverride** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether Windows Package Manager can be configured to enable the ability to override `SHA256` security validation in settings. Windows Package Manager compares the installer after it has downloaded with the hash provided in the manifest. + +- If you enable or do not configure this setting, users will be able to enable the ability to override `SHA256` security validation in Windows Package Manager settings. + +- If you disable this setting, users will not be able to enable the ability to override SHA256 security validation in Windows Package Manager settings. + + + + +ADMX Info: +- GP Friendly name: *Enable App Installer Hash Override* +- GP name: *EnableHashOverride* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableMicrosoftStoreSource** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls the Microsoft Store source included with the Windows Package Manager. +If you don't configure this setting, the Microsoft Store source for the Windows Package manager will be available and can be removed. +- If you enable this setting, the Microsoft Store source for the Windows Package Manager will be available, and can't be removed. +- If you disable this setting the Microsoft Store source for the Windows Package Manager won't be available. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Microsoft Store Source* +- GP name: *EnableMicrosoftStoreSource* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableMSAppInstallerProtocol** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can install packages from a website that is using the `ms-appinstaller` protocol. + +- If you enable or do not configure this setting, users will be able to install packages from websites that use this protocol. + +- If you disable this setting, users will not be able to install packages from websites that use this protocol. + + + + +ADMX Info: +- GP Friendly name: *Enable MS App Installer Protocol* +- GP name: *EnableMSAppInstallerProtocol* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableSettings** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can change their settings. The settings are stored inside of a .json file on the user’s system. It may be possible for users to gain access to the file using elevated credentials. This won't override any policy settings that have been configured by this policy. + +- If you enable or do not configure this setting, users will be able to change settings for Windows Package Manager. +- If you disable this setting, users will not be able to change settings for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Settings Command* +- GP name: *EnableSettings* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableAllowedSources** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls additional sources approved for users to configure using Windows Package Manager. If you don't configure this setting, users will be able to add or remove additional sources other than those configured by policy. + +- If you enable this setting, only the sources specified can be added or removed from Windows Package Manager. The representation for each allowed source can be obtained from installed sources using winget source export. +- If you disable this setting, no additional sources can be configured by the user for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Settings Command* +- GP name: *EnableAllowedSources* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/EnableExperimentalFeatures** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls whether users can enable experimental features in Windows Package Manager. Experimental features are used during Windows Package Manager development cycle to provide previews for new behaviors. Some of these experimental features may be implemented prior to the Group Policy settings designed to control their behavior. + +- If you enable or do not configure this setting, users will be able to enable experimental features for Windows Package Manager. + +- If you disable this setting, users will not be able to enable experimental features for Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Enable Windows Package Manager Experimental Features* +- GP name: *EnableExperimentalFeatures* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + +**DesktopAppInstaller/SourceAutoUpdateInterval** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Windows SE|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + +This policy controls the auto-update interval for package-based sources. The default source for Windows Package Manager is configured such that an index of the packages is cached on the local machine. The index is downloaded when a user invokes a command, and the interval has passed (the index is not updated in the background). This setting has no impact on REST-based sources. + +- If you enable this setting, the number of minutes specified will be used by Windows Package Manager. + +- If you disable or do not configure this setting, the default interval or the value specified in settings will be used by Windows Package Manager. + + + + +ADMX Info: +- GP Friendly name: *Set Windows Package Manager Source Auto Update Interval In Minutes* +- GP name: *SourceAutoUpdateInterval* +- GP path: *Administrative Templates\Windows Components\App Package Deployment* +- GP ADMX file name: *AppxPackageManager.admx* + + + + +
+ + + +## Related topics + +[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 80986cd431..baeea5bf25 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -50,6 +50,9 @@ manager: aaroncz
Experience/AllowSyncMySettings
+
+ Experience/AllowSpotlightCollection +
Experience/AllowTailoredExperiencesWithDiagnosticData
@@ -494,6 +497,50 @@ The following list shows the supported values:
+ +**Experience/AllowSpotlightCollection** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy allows spotlight collection on the device. + +- If you enable this policy, "Spotlight collection" will not be available as an option in Personalization settings. +- If you disable or do not configure this policy, "Spotlight collection" will appear as an option in Personalization settings, allowing the user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop. + + + +The following list shows the supported values: + +- When set to 0: Spotlight collection will not show as an option in Personalization Settings and therefore be unavailable on Desktop +- When set to 1: Spotlight collection will show as an option in Personalization Settings and therefore be available on Desktop, allowing Desktop to refresh for daily images from Microsoft +- Default value: 1 + + + + +
+ **Experience/AllowTailoredExperiencesWithDiagnosticData** diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md index df30b8f920..d1a49971c5 100644 --- a/windows/client-management/mdm/policy-csp-humanpresence.md +++ b/windows/client-management/mdm/policy-csp-humanpresence.md @@ -20,6 +20,9 @@ manager: aaroncz ## HumanPresence policies
+
+ HumanPresence/ForceInstantDim +
HumanPresence/ForceInstantLock
@@ -33,6 +36,56 @@ manager: aaroncz
+ +**HumanPresence/ForceInstantDim** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Business|No|No| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This feature dims the screen based on user attention. This is a power saving feature that prolongs battery charge. + + + +ADMX Info: +- GP Friendly name: *Force Instant Dim* +- GP name: *ForceInstantDim* +- GP path: *Windows Components/Human Presence* +- GP ADMX file name: *Sensors.admx* + + + +The following list shows the supported values: + +- 2 = ForcedOff +- 1 = ForcedOn +- 0 = DefaultToUserChoice +- Defaults to 0. + + + + +
+ **HumanPresence/ForceInstantLock** diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1b307f4e8d..7b94010e16 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -685,6 +685,8 @@ items: href: policy-csp-deliveryoptimization.md - name: Desktop href: policy-csp-desktop.md + - name: DesktopAppInstaller + href: policy-csp-desktopappinstaller.md - name: DeviceGuard href: policy-csp-deviceguard.md - name: DeviceHealthMonitoring @@ -980,4 +982,4 @@ items: href: wirednetwork-csp.md items: - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md \ No newline at end of file + href: wirednetwork-ddf-file.md diff --git a/windows/deployment/media/Windows10AutopilotFlowchart.pdf b/windows/deployment/media/Windows10AutopilotFlowchart.pdf deleted file mode 100644 index 5ab6f1c52e..0000000000 Binary files a/windows/deployment/media/Windows10AutopilotFlowchart.pdf and /dev/null differ diff --git a/windows/deployment/media/Windows10DeploymentConfigManager.pdf b/windows/deployment/media/Windows10DeploymentConfigManager.pdf deleted file mode 100644 index 3a4c5f022e..0000000000 Binary files a/windows/deployment/media/Windows10DeploymentConfigManager.pdf and /dev/null differ diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md index 18021d5a5d..f140db4d51 100644 --- a/windows/deployment/windows-10-deployment-posters.md +++ b/windows/deployment/windows-10-deployment-posters.md @@ -19,15 +19,15 @@ The following posters step through various options for deploying Windows 10 with ## Deploy Windows 10 with Autopilot -The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. +The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format. -[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf) +[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](https://download.microsoft.com/download/8/4/b/84b5e640-8f66-4b43-81a9-1c3b9ea18eda/Windows10AutopilotFlowchart.pdf) ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager -The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. +The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format. -[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf) +[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](https://download.microsoft.com/download/e/2/a/e2a70587-d3cc-4f1a-ba49-cfd724a1736b/Windows10DeploymentConfigManager.pdf) ## See also diff --git a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png index 3abdb9288e..f5a8284a8c 100644 Binary files a/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png and b/windows/deployment/windows-autopatch/media/windows-autopatch-device-registration-workflow-diagram.png differ diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md index 15a138fcdf..50e4fd586e 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md @@ -37,7 +37,7 @@ In this example, we'll be discussing a device in the First ring. The Autopatch s In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience"::: +:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience" lightbox="../media/windows-feature-typical-update-experience.png"::: ### Feature update deadline forces an update @@ -45,7 +45,7 @@ The following example builds on the scenario outlined in the typical user experi The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update"::: +:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update" lightbox="../media/windows-feature-force-update.png"::: ### Feature update grace period @@ -53,7 +53,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period"::: +:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Windows feature update grace period" lightbox="../media/windows-feature-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md index c24e373172..1f19a0fd64 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md @@ -46,7 +46,7 @@ The final release schedule is communicated prior to release and may vary a littl | Fast | Release start + 60 days | | Broad | Release start + 90 days | -:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline"::: +:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline" lightbox="../media/windows-feature-release-process-timeline.png"::: ## New devices to Windows Autopatch diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md index 555d20ee68..b83dc059df 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md @@ -36,7 +36,7 @@ Once the deferral period has passed, the device will download the update and not In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline. -:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience"::: +:::image type="content" source="../media/windows-quality-typical-update-experience.png" alt-text="Typical windows quality update experience" lightbox="../media/windows-quality-typical-update-experience.png"::: ### Quality update deadline forces an update @@ -48,7 +48,7 @@ In the following example, the user: The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the [active hours](#servicing-window) and force a restart to complete the update installation. The user will receive a 15-minute warning, after which, the device will install the update and restart. -:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update"::: +:::image type="content" source="../media/windows-quality-force-update.png" alt-text="Force Windows quality update" lightbox="../media/windows-quality-force-update.png"::: ### Quality update grace period @@ -56,7 +56,7 @@ In the following example, the user is on holiday and the device is offline beyon Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification. -:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period"::: +:::image type="content" source="../media/windows-quality-update-grace-period.png" alt-text="Windows quality update grace period" lightbox="../media/windows-quality-update-grace-period.png"::: ## Servicing window diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index c7c96c2575..013386f69a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -50,7 +50,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). -:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: +:::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline" lightbox="../media/release-process-timeline.png"::: ## Expedited releases diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md index 4e5a37bb81..d8b16b880a 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-signals.md @@ -42,7 +42,7 @@ The update is released to the Test ring on the second Tuesday of the month. Thos Windows Autopatch monitors devices for a set of core reliability metrics as a part of the service. -The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices have upgraded to the new version. +The service then uses statistical models to assess if there are significant differences between the two Windows versions. To make a statistically significant assessment, Windows Autopatch requires that at least 500 devices in your tenant have upgraded to the new version. As more devices update, the confidence of the analysis increases and gives us a clearer picture of release quality. If we determine that the user experience is impaired, Autopatch will either post a customer advisory or pause the release, depending on the criticality of the update. @@ -51,8 +51,8 @@ Autopatch monitors the following reliability signals: | Device reliability signal | Description | | ----- | ----- | | Blue screens | These events are highly disruptive to end users so are closely watched. | -| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known issue with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | -| Microsoft Office reliability | Tracks the number of Office crashes or freezes per application per device. | +| Overall app reliability | Tracks the total number of app crashes and freezes on a device. A known limitation with this measure is that if one app becomes 10% more reliable and another becomes 10% less reliable then it shows up as a flat line in the measure. | +| Microsoft Office reliability | Tracks the number of Office crashes and freezes per application per device. | | Microsoft Edge reliability | Tracks the number of Microsoft Edge crashes and freezes per device. | | Microsoft Teams reliability | Tracks the number of Microsoft Teams crashes and freezes per device. | diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index 4ca89f1b2d..5f31bb4692 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -132,4 +132,4 @@ Windows Autopatch creates an enterprise application in your tenant. This enterpr | Script | Description | | ----- | ----- | -| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | +| Modern Workplace - Autopatch Client Setup v1.1 | Installs necessary client components for the Windows Autopatch service | diff --git a/windows/hub/WaaS-infographic.pdf b/windows/hub/WaaS-infographic.pdf deleted file mode 100644 index cb1ef988a1..0000000000 Binary files a/windows/hub/WaaS-infographic.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf b/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf deleted file mode 100644 index 557f45193a..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-CleanInstallation.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf b/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf deleted file mode 100644 index d01542ed2b..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-InplaceUpgrade.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf b/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf deleted file mode 100644 index 87110d6b3e..0000000000 Binary files a/windows/media/ModernSecureDeployment/Deploy-WindowsAutoPilot.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf b/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf deleted file mode 100644 index 8d04e66910..0000000000 Binary files a/windows/media/ModernSecureDeployment/ProtectionSolutions.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf b/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf deleted file mode 100644 index 86529c1665..0000000000 Binary files a/windows/media/ModernSecureDeployment/Series-ModernAndSecureWindowsDeployment.pdf and /dev/null differ diff --git a/windows/media/ModernSecureDeployment/WindowsServicing.pdf b/windows/media/ModernSecureDeployment/WindowsServicing.pdf deleted file mode 100644 index 19a419e3a9..0000000000 Binary files a/windows/media/ModernSecureDeployment/WindowsServicing.pdf and /dev/null differ diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index d995550c13..cfab29e74f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -69,7 +69,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| +| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method. Another common issue is caused by clients inability to verify the KDC certificate CRL| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 8765cbc8c3..95583c6427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -63,6 +63,11 @@ The following scenarios aren't supported using Windows Hello for Business cloud - Using cloud trust for "Run as" - Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity +> [!NOTE] +> The default security policy for AD does not grant permission to sign high privilege accounts on to on-premises resources with Cloud Trust or FIDO2 security keys. +> +> To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object (CN=AzureADKerberos,OU=Domain Controllers,\). + ## Deployment Instructions Deploying Windows Hello for Business cloud trust consists of two steps: @@ -256,4 +261,4 @@ Windows Hello for Business cloud trust cannot be used as a supplied credential w ### Do all my domain controllers need to be fully patched as per the prerequisites for me to use Windows Hello for Business cloud trust? -No, only the number necessary to handle the load from all cloud trust devices. \ No newline at end of file +No, only the number necessary to handle the load from all cloud trust devices. diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index f85611c594..fe15669214 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -49,7 +49,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true) ```powershell - New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level Publisher -Fallback Hash + New-CIPolicy -MultiplePolicyFormat -ScanPath -UserPEs -FilePath "\SupplementalPolicy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash ``` - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 8b30f46fa9..ca600a98a7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -59,7 +59,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these 4. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a **FilePublisher** file rule level and a **Hash** fallback level. Warning messages are redirected to a text file **EventsPolicyWarnings.txt**. ```powershell - New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings + New-CIPolicy -FilePath $EventsPolicy -Audit -Level FilePublisher -Fallback SignedVersion,FilePublisher,Hash –UserPEs -MultiplePolicyFormat 3> $EventsPolicyWarnings ``` > [!NOTE] diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md index c15d853296..b81414e10f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md @@ -126,13 +126,13 @@ Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC ### Software Publisher Based Deny Rule ```Powershell -$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Deny -Fallback FileName,Hash +$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath -Fallback SignedVersion,Publisher,Hash -Deny ``` ### Software Attributes Based Deny Rule ```Powershell -$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Deny -Fallback Hash +$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath -Fallback Hash -Deny ``` ### Hash Based Deny Rule diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 65565ec200..cfea5dc30f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -11,7 +11,7 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 02/28/2018 @@ -49,7 +49,9 @@ To create a catalog file, you use a tool called **Package Inspector**. You must 2. Start Package Inspector, and then start scanning a local drive, for example, drive C: - `PackageInspector.exe Start C:` + ```powershell + PackageInspector.exe Start C: + ``` > [!NOTE] > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer. @@ -77,13 +79,12 @@ To create a catalog file, you use a tool called **Package Inspector**. You must For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` - - `$CatDefName=$ExamplePath+"\LOBApp.cdf"` - - `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` + ```powershell + $ExamplePath=$env:userprofile+"\Desktop" + $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" + $CatDefName=$ExamplePath+"\LOBApp.cdf" + PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName + ``` >[!NOTE] >Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries' hash values. @@ -125,15 +126,18 @@ To sign the existing catalog file, copy each of the following commands into an e 1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: - `$ExamplePath=$env:userprofile+"\Desktop"` - - `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` + ```powershell + $ExamplePath=$env:userprofile+"\Desktop" + $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat" + ``` 2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user's personal store. 3. Sign the catalog file with Signtool.exe: - ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` + ```powershell + sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName + ``` >[!NOTE] >The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. @@ -156,16 +160,20 @@ After the catalog file is signed, add the signing certificate to a WDAC policy, 1. If you haven't already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect. -2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you'll later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: +2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a Windows Defender Application Control policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder** by scanning the system and allowlisting by signer and original filename: - `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` + ```powershell + New-CIPolicy -Level FilePublisher -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs -MultiplePolicyFormat -Fallback SignedVersion,Publisher,Hash + ``` > [!NOTE] > Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. -3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: +3. Use [Add-SignerRule](/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: - `Add-SignerRule -FilePath -CertificatePath -User` + ```powershell + Add-SignerRule -FilePath -CertificatePath -User + ``` If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index dbe28e8b2a..b3cffd3fb8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -56,19 +56,19 @@ Prior to Windows 10 1903, Windows Defender Application Control only supported a In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](/powershell/module/configci/new-cipolicy?preserve-view=true&view=win10-ps) results in 1) unique GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below example describes the process of creating a new policy in the multiple policy format. ```powershell -New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level Publisher -Fallback Hash +New-CIPolicy -MultiplePolicyFormat -ScanPath "" -UserPEs -FilePath ".\policy.xml" -Level FilePublisher -Fallback SignedVersion,Publisher,Hash ``` Optionally, you can choose to make the new base policy allow for supplemental policies. ```powershell -Set-RuleOption -FilePath -Option 17 +Set-RuleOption -FilePath ".\policy.xml" -Option 17 ``` For signed base policies to allow for supplemental policies, make sure that supplemental signers are defined. Use the **Supplemental** switch in **Add-SignerRule** to provide supplemental signers. ```powershell -Add-SignerRule -FilePath -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] [] +Add-SignerRule -FilePath ".\policy.xml" -CertificatePath [-Kernel] [-User] [-Update] [-Supplemental] [-Deny] ``` ### Supplemental policy creation @@ -79,12 +79,9 @@ In order to create a supplemental policy, begin by creating a new policy in the - "BasePolicyToSupplementPath": path to base policy file that the supplemental policy applies to ```powershell -Set-CIPolicyIdInfo [-FilePath] [-PolicyName ] [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] [-ResetPolicyID] [-PolicyId ] [] +Set-CIPolicyIdInfo -FilePath ".\supplemental_policy.xml" [-SupplementsBasePolicyID ] [-BasePolicyToSupplementPath ] -PolicyId -PolicyName ``` -> [!NOTE] -> **ResetPolicyId** reverts a supplemental policy to a base policy, and resets the policy GUIDs back to a random GUID. - ### Merging policies When you're merging policies, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \, then regardless of what the GUIDs and types are for any subsequent policies, the merged policy will be a base policy with ID \.